PatchSiren cyber security CVE debrief
CVE-2026-42477 Opencascade CVE debrief
CVE-2026-42477 affects Open CASCADE Technology (OCCT) OBJ file parsing and is triggered when a victim opens a crafted OBJ file. The issue is a heap-based out-of-bounds read in RWObj_Reader::read, which can lead to denial of service and may expose sensitive information. NVD maps the issue to OCCT versions up through 7.9.3 and the 8.0.0 beta/RC line through rc5, with a published date of 2026-05-01 and a later modification on 2026-05-10.
- Vendor
- Opencascade
- Product
- CVE-2026-42477
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-01
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-01
- Advisory updated
- 2026-05-10
Who should care
Organizations and developers that use OCCT to import or process OBJ files, especially where files can come from untrusted or user-supplied sources. Security teams should also care if OCCT is embedded in CAD, visualization, or conversion workflows that accept external geometry files.
Technical summary
According to the CVE description, Standard_ReadLineBuffer::ReadLine() can return a 1-byte buffer for a minimal OBJ line, and RWObj_Reader::read() then calls pushIndices(aLine + 2) without checking that the buffer is long enough. That creates a heap-based out-of-bounds read (CWE-125, with CWE-122 also listed as secondary) during OBJ parsing. NVD reports CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H, reflecting a local impact that requires user interaction to open the crafted file.
Defensive priority
High. The vulnerability requires user interaction, but it affects file parsing of a common interchange format and can expose data or crash the process. If your environment handles untrusted OBJ files, mitigation and update planning should be prioritized.
Recommended defensive actions
- Identify all uses of Open CASCADE Technology in applications, services, plugins, and conversion pipelines that parse OBJ files.
- Restrict or sandbox handling of untrusted OBJ files until patched versions are available.
- Check vendor and downstream release channels for a fixed OCCT release; the supplied sources do not include a remediation version.
- If you maintain a fork or wrapper around OCCT, add explicit length checks before advancing pointers into line buffers and review adjacent OBJ parsing logic.
- Monitor the official CVE and NVD records for updates, including any future fix references or version clarifications.
- Treat unexpectedly small or malformed OBJ lines as invalid input in any application-layer validation or pre-processing stage.
Evidence notes
This debrief is based on the supplied CVE description and NVD metadata. The source corpus states a heap-based out-of-bounds read in RWObj_Reader::read caused by pointer arithmetic on a potentially 1-byte buffer returned by Standard_ReadLineBuffer::ReadLine(). NVD lists affected OCCT versions through 7.9.3 and 8.0.0 beta1 through rc5, and assigns CVSS 3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H. No vendor patch announcement or fixed version is included in the supplied sources.
Official resources
-
CVE-2026-42477 CVE record
CVE.org
-
CVE-2026-42477 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed on 2026-05-01 via the CVE record, with NVD metadata modified on 2026-05-10. The supplied corpus does not include a vendor-issued advisory or fix announcement.