LOW 3.3

CVE-2026-10199: Assimp Null Pointer Dereference in glTF2 Parsing

Assimp, a popular 3D asset library, contains a null pointer dereference vulnerability in its glTF2 parsing code. An attacker with local access can craft a malicious glTF2 file that triggers a crash when processed, causing a denial of service. The vulnerability affects Assimp versions up to 6.0.4 and has been publicly disclosed, though it requires local interaction and low privileges to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-404, CWE-476
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.

9 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the glTF2::LazyDict class within glTF2Asset.h. The issue stems from improper bounds checking in the operator[] function, which can be manipulated through carefully constructed glTF2 file arguments to dereference a null pointer. The attack vector is local, requires low privileges, and does not require user interaction. Both CWE-404 (Improper Resource Validation) and CWE-476 (Null Pointer Dereference) apply, indicating inadequate input validation leading to unsafe memory access.

Business impact

Organizations using Assimp in local processing pipelines—such as 3D asset conversion tools, game development workflows, or computer-aided design integrations—face denial-of-service risk. An attacker with system access (or able to place a malicious asset file on the system) can crash Assimp-dependent applications, disrupting asset pipelines or engineering workflows. The impact is limited to availability; no data exfiltration or privilege escalation is possible.

Affected systems

Assimp versions up to and including 6.0.4 are vulnerable. Any application embedding or calling Assimp for glTF2 file parsing is at risk. This includes game engines, 3D modeling tools, CAD software, and asset pipeline servers that accept user-provided or untrusted glTF2 files. Verify your specific Assimp version and update accordingly.

Exploitability

Exploitation requires local access and low privileges, but no authentication bypass or complex manipulation is needed. The public disclosure means attack code and reproduction techniques are accessible. However, real-world impact depends on whether the application processes untrusted glTF2 files or runs in an environment where local attackers are present. Environments that process only trusted, internally-generated assets face lower risk.

Remediation

Upgrade Assimp to a version containing the patch commit d24b85319bd70c65883a2b96613e07e23fb95981 or later. Verify the exact patch release version against the official Assimp repository and security advisories. As an interim measure, restrict file processing to trusted sources and disable glTF2 parsing if not required. Validate glTF2 file integrity before processing.

Patch guidance

Apply the patch corresponding to commit d24b85319bd70c65883a2b96613e07e23fb95981. Consult the Assimp GitHub repository and official security advisories for the specific version number and release date. Update all dependent applications and rebuild if Assimp is statically linked. Test patched versions in a staging environment before production deployment, particularly for critical asset pipeline infrastructure.

Detection guidance

Monitor for crashes or exceptions in Assimp-dependent applications when processing glTF2 files. Log and alert on null pointer exceptions in glTF2Asset.h. Implement file validation before passing glTF2 assets to Assimp (e.g., schema validation, file integrity checks). In development environments, enable address sanitizers (ASan) or memory debugging tools to catch null pointer dereferences during testing. Restrict file upload permissions to prevent injection of malicious assets.

Why prioritize this

Despite a low CVSS score of 3.3, prioritize this based on your asset pipeline architecture. If Assimp is embedded in critical production tools or processes untrusted external files, elevation to medium priority is justified. Organizations with sandboxed, offline asset processing or internal-only file sources can defer patching. The public disclosure means active exploitation risk is elevated relative to the base score alone.

Risk score, explained

The CVSS 3.1 score of 3.3 (LOW) reflects limited attack scope: local access, low privileges, no user interaction, and impact limited to availability (denial of service). The attack vector is not network-exploitable, reducing severity. However, the score does not account for how critical Assimp is to your specific workflows. Customize your internal risk rating based on whether you process untrusted files and the business cost of pipeline disruption.

Frequently asked questions

Can this vulnerability be exploited remotely or over the network?

No. The vulnerability requires local access and low privileges. It cannot be exploited via network-based file uploads unless the processing occurs on the local system where an attacker already has access. Network-facing asset ingestion tools may still be at risk if they process files locally.

Does this vulnerability lead to code execution or data theft?

No. The null pointer dereference causes a denial of service (crash) only. There is no code execution, memory corruption that could enable ROP, or data exfiltration. Impact is limited to application availability.

Which versions of Assimp are vulnerable?

Assimp versions up to and including 6.0.4 are confirmed vulnerable. Verify your installed version and apply patches as soon as the fixed release is available. Check the official Assimp repository and security advisories for patched version numbers.

What is the best immediate action if I cannot patch immediately?

Restrict glTF2 file processing to trusted, internally-generated assets only. Disable glTF2 support in Assimp if it is not required for your use case. Implement strict file validation and sandboxing for any asset pipeline processing. These controls reduce exploitability even on unpatched versions.

This analysis is based on the published CVE record and vendor advisories as of the modification date. CVSS scores and severity assessments are provided by NVD and may not reflect your organization's risk tolerance or environment. Verify patch availability and version numbers against official Assimp GitHub and security advisories before deploying updates. SEC.co provides this information for situational awareness and does not guarantee the accuracy or completeness of third-party vendor remediation timelines. Test patches in non-production environments first. Consult your incident response team and vendor documentation for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).