Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10200

CVE-2026-10200: Assimp Buffer Overflow Vulnerability

CVE-2026-10200 is a heap-based buffer overflow in Assimp up to 6.0.4 affecting the 4x4 Matrix Parser. The flaw allows local attackers to exploit the glTFCommon::CopyValue function. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-10200 Overview

CVE-2026-10200 is a heap-based buffer overflow in the Open Asset Import Library (Assimp) versions up to 6.0.4. The flaw resides in the glTFCommon::CopyValue function within glTFCommon.h, part of the 4x4 Matrix Parser component. An attacker with local access can supply a crafted glTF asset to trigger memory corruption during parsing. A public proof-of-concept has been released, and the Assimp project has acknowledged the report as a bug. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Local processing of malicious glTF files can corrupt heap memory in applications and pipelines that embed Assimp for 3D asset parsing.

Affected Products

  • Assimp (Open Asset Import Library) versions up to and including 6.0.4
  • Applications and game engines embedding the vulnerable glTFCommon.h parser
  • 3D content pipelines that import glTF assets via Assimp

Discovery Timeline

  • 2026-05-31 - CVE-2026-10200 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10200

Vulnerability Analysis

The vulnerability lives in glTFCommon::CopyValue, a helper used by Assimp's glTF importer to copy values into 4x4 transformation matrices. When parsing matrix data from a glTF file, the routine does not adequately validate that the source data matches the fixed destination buffer size. A crafted asset containing oversized or malformed matrix arrays causes a write beyond the bounds of the heap-allocated matrix structure.

Because Assimp is widely embedded in rendering engines, modeling tools, and game pipelines, the flawed code path is reachable any time an application opens an untrusted .gltf or .glb file. Heap corruption in C++ parsing code of this nature can destabilize the host process and, depending on heap layout, may be leveraged to influence adjacent allocations.

Root Cause

The root cause is missing bounds enforcement in glTFCommon::CopyValue when populating fixed-size 4x4 matrix buffers. The function trusts the element count derived from the input document instead of constraining it to the 16 floats expected by the matrix type. This permits attacker-controlled input length to drive an out-of-bounds heap write.

Attack Vector

Exploitation requires local interaction: the victim must open or import a malicious glTF asset using software that links against a vulnerable Assimp build. The attacker needs low privileges and no additional authentication beyond the ability to deliver the file. The attack does not traverse the network directly, but malicious assets can be staged through email, marketplaces, or shared project files.

A public proof-of-concept is referenced from GitHub Issue #6612 and a GitHub PoC archive. See the VulDB entry for CVE-2026-10200 for further triage notes.

No verified exploitation code is reproduced here; refer to the upstream issue tracker for technical reproduction details.

Detection Methods for CVE-2026-10200

Indicators of Compromise

  • Unexpected crashes or heap corruption signatures in processes that load assimp (for example libassimp.so or assimp.dll) while parsing glTF assets.
  • Presence of unsolicited .gltf or .glb files in user download directories, asset import folders, or build pipelines.
  • AddressSanitizer or Application Verifier reports flagging heap-buffer-overflow in glTFCommon::CopyValue during automated testing.

Detection Strategies

  • Inventory binaries and containers that statically or dynamically link Assimp versions at or below 6.0.4.
  • Run fuzz testing or static analysis against the glTF importer path, focusing on matrix and accessor parsing.
  • Hash-match known PoC artifacts referenced from the Assimp GitHub repository issue tracker.

Monitoring Recommendations

  • Alert on abnormal termination of 3D content tools, build agents, or asset-conversion services that handle untrusted input.
  • Log file-open events on asset directories and correlate with subsequent process crashes.
  • Track software bill of materials (SBOM) updates so new applications introducing Assimp are reviewed against this advisory.

How to Mitigate CVE-2026-10200

Immediate Actions Required

  • Identify all internal and third-party software that bundles Assimp through SBOM review and dependency scanning.
  • Restrict opening of untrusted glTF assets to sandboxed accounts or dedicated conversion hosts.
  • Disable or remove the glTF importer in Assimp builds where it is not required.

Patch Information

At the time of publication, no fixed Assimp release is listed in the NVD record. Monitor the Assimp GitHub repository and GitHub Issue #6612 for an upstream fix and rebuild dependent applications once a patched version is available.

Workarounds

  • Reject or quarantine glTF and GLB files received from untrusted sources until a patched Assimp build is deployed.
  • Compile Assimp with hardened allocator options and AddressSanitizer in non-production pipelines to surface exploitation attempts.
  • Run asset-parsing workloads inside least-privilege containers or sandboxes so heap corruption cannot affect the broader host.
bash
# Example: identify processes and libraries linked against Assimp on Linux
ldconfig -p | grep -i assimp
lsof -n 2>/dev/null | grep -i assimp

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne