CVE-2026-10201: Assimp FBX Divide-by-Zero Denial of Service
CVE-2026-10201 is a divide-by-zero flaw in Assimp (Asset Importer Library), a widely-used 3D model processing library. The defect exists in the UV Channel Handler component, specifically within the FBXExporter::WriteObjects function in FBXExporter.cpp. When a user with local access supplies specially crafted input, the vulnerability triggers a division-by-zero error that crashes the application. Because this is a local-only attack requiring user-level privileges and the impact is availability-focused (denial of service via crash), the risk is classified as low. However, the fact that proof-of-concept code has been publicly released means defenders should not assume this will remain a theoretical concern.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-369, CWE-404
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in Assimp up to 6.0.4. This vulnerability affects the function FBXExporter::WriteObjects of the file FBXExporter.cpp of the component UV Channel Handler. Executing a manipulation can lead to divide by zero. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The project tagged the reported issue as bug.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient input validation in Assimp's FBX exporter when processing UV channel data. The FBXExporter::WriteObjects function fails to validate a numeric value before using it as a divisor, allowing a zero value to reach a division operation. This triggers an unhandled divide-by-zero exception (CWE-369), resulting in process termination. The flaw is compounded by inadequate error handling that does not gracefully catch or prevent the exception (CWE-404). Affected versions include Assimp up to and including 6.0.4. The vulnerability requires local code execution context and user-level privileges; it cannot be exploited remotely or without authentication.
Business impact
For organizations embedding Assimp in desktop or server-based 3D modeling tools, media conversion pipelines, or game asset importers, this vulnerability introduces a denial-of-service vector. An employee or operator who opens a malicious FBX file can crash the application, disrupting workflows and causing data loss if unsaved work is in progress. In automated batch-processing environments (e.g., asset pipelines), a poisoned file can halt processing queues. The risk is typically low for organizations where file sources are controlled and validated, but higher for those accepting 3D models from untrusted or external sources.
Affected systems
Assimp versions up to 6.0.4 are vulnerable. Any application or service that links against vulnerable Assimp releases and exposes FBX import/export functionality is at risk. Common affected use cases include: 3D modeling and animation tools, game engines with built-in asset import, media conversion utilities, architectural visualization software, and automated asset pipelines. Web services that process FBX files server-side are theoretically at lower risk due to the local-only requirement, but internal tools and desktop applications are directly exposed.
Exploitability
The attack is straightforward: a specially crafted FBX file with a zero value in a specific UV channel field is supplied to an application using vulnerable Assimp. No special privileges beyond local user access are required; execution occurs in-process when the file is opened or exported. Proof-of-concept code has been publicly disclosed, lowering the barrier for potential attackers. However, exploitation is limited to local scenarios—remote code execution is not possible, and the attacker must have the ability to place a file where the target application will process it. In many enterprise environments with restricted file sources, this constraint significantly reduces practical risk.
Remediation
Upgrade Assimp to a patched version beyond 6.0.4. Verify the exact version number and availability date against the official Assimp project repository and release notes. Implement input validation and sanitization for FBX files before processing, particularly in high-risk scenarios. Consider restricting FBX import to known-good sources and scanning files with static analysis tools when possible. For organizations unable to patch immediately, monitor application logs for unexpected crashes during FBX operations and restrict user access to 3D import features where feasible.
Patch guidance
Check the official Assimp GitHub repository and release notes to identify the first patched version after 6.0.4. Once confirmed, test the upgrade in a non-production environment with your application stack before deployment. If you maintain custom builds of Assimp, apply the corresponding fix to the FBXExporter.cpp file—specifically, add null checks and validation for the divisor before the division operation in FBXExporter::WriteObjects. Verify that your patched build resolves the divide-by-zero condition and does not introduce regressions. In container or virtualized environments, update base images and rebuild deployments to include the patched library version.
Detection guidance
Monitor for application crashes with stack traces mentioning FBXExporter.cpp or divide-by-zero exceptions during FBX file processing. Log file access and import operations in 3D tools, flagging unusual or unexpected .fbx files in processing pipelines. Use static analysis on third-party FBX files to detect anomalies in UV channel structures. Application performance monitoring (APM) tools can detect sudden terminations of asset import processes. If feasible, run Assimp-dependent services in sandboxed or containerized environments to limit the blast radius of crashes and simplify recovery.
Why prioritize this
Although CVE-2026-10201 carries a low CVSS score (3.3) due to its local-only attack vector and availability-only impact, the public disclosure of proof-of-concept code and the commonality of Assimp in 3D asset pipelines warrant timely attention. Prioritize patching for organizations with open file imports, collaborative asset workflows, or user-facing 3D tools. For environments with closed, validated file sources, the risk is minimal but not zero; schedule patching in routine maintenance windows. The vulnerability is not emergency-tier but should not be deferred indefinitely.
Risk score, explained
The CVSS 3.1 score of 3.3 (LOW) reflects the attack vector (Local only, AV:L), attack complexity (Low, AC:L), privilege requirement (Low, PR:L), user interaction (None, UI:N), scope (Unchanged, S:U), and impact (Availability only, A:L with Confidentiality and Integrity unaffected). This scoring is appropriate: the flaw causes denial of service via crash, not data theft or corruption. The local-only requirement and need for user-level access significantly constrain the threat landscape compared to network-exploitable vulnerabilities. However, the low bar to exploitation and public PoC availability mean tactical risk should be assessed in context of your specific deployment model and file-handling practices.
Frequently asked questions
Can this vulnerability be exploited over the network or remotely?
No. CVE-2026-10201 requires local code execution context and user-level privileges. It cannot be exploited remotely via network protocols, APIs, or web services. Only users or processes with local file system access can supply a malicious FBX file to trigger the defect.
What is the real-world impact if we do get exploited?
The application or service that attempts to process the malicious FBX file will crash due to an unhandled divide-by-zero exception. This causes a denial of service—loss of availability for that specific tool or process. No data theft, credential compromise, or system-level takeover occurs. Impact depends on your architecture: a single-user desktop tool crashes; an automated batch pipeline halts until manual intervention; a multi-user server may lose that processing instance.
Do we need to patch immediately, or is this lower priority?
Patch priority depends on your context. If your organization imports FBX files from external or untrusted sources, or if 3D asset processing is business-critical, treat this as medium priority within your regular patch cycle. If you only import from validated internal sources and have redundancy or recovery procedures, it can be scheduled in routine maintenance. Either way, public PoC disclosure means this is not a candidate for indefinite deferral.
How do we know if we're actually using the vulnerable Assimp version?
Check your application's documentation or software bill of materials (SBOM) for Assimp version. If you compile 3D tools in-house, review your build scripts and dependency manifests. For third-party tools, contact the vendor for their Assimp version and patching timeline. Many modern tools include version information in Help > About or in log files during startup.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Verify patch availability and version numbers against the official Assimp project repository and vendor advisories before deployment. CVSS scores and severity ratings are derived from standardized metrics but should be contextualized within your specific environment, threat model, and risk tolerance. This vulnerability is not listed on the CISA KEV catalog as of the analysis date. Testing in non-production environments is strongly recommended before applying patches to production systems. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for any action taken or omitted based on this guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10197LOWAssimp glTF2 Null Pointer Dereference Denial of Service
- CVE-2026-10198LOWAssimp glTF Importer Null Pointer Dereference DoS Vulnerability
- CVE-2026-10199LOWAssimp Null Pointer Dereference in glTF2 Parsing
- CVE-2026-10295LOWDenial of Service in SourceCodester Customer Review App 1.0
- CVE-2026-10298LOWwhisper.cpp Null Pointer Dereference Vulnerability – Local Denial of Service
- CVE-2026-10705LOWDask HyperLogLog Resource Exhaustion Vulnerability
- CVE-2026-10775LOWSGLang Cache Handler Denial-of-Service Vulnerability (v0.5.11)
- CVE-2025-70100MEDIUMlwext4 Divide-by-Zero Denial of Service (MEDIUM)