CVE-2026-29628 Overview
A stack overflow vulnerability has been identified in the experimental/tinyobj_loader_opt.h file of tinyobjloader at commit d56555b. This vulnerability allows attackers to cause a Denial of Service (DoS) condition by supplying a specially crafted .mtl file. The tinyobjloader library is a widely-used C++ library for loading Wavefront OBJ 3D model files and their associated material files.
Critical Impact
Attackers can cause application crashes and denial of service by providing malicious .mtl material files to applications using the vulnerable tinyobjloader experimental module.
Affected Products
- tinyobjloader commit d56555b and earlier versions
- Applications using experimental/tinyobj_loader_opt.h from affected tinyobjloader versions
- 3D modeling and rendering applications that parse untrusted .mtl files with vulnerable tinyobjloader builds
Discovery Timeline
- April 13, 2026 - CVE-2026-29628 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-29628
Vulnerability Analysis
This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow). The flaw exists in the material file parsing functionality within the experimental optimized loader component of tinyobjloader. When processing .mtl material files, the parser uses sscanf() without proper bounds checking, allowing an attacker to overflow a stack-allocated buffer by providing an excessively long string in the material file.
The vulnerability requires local access to exploit, as an attacker must be able to supply a crafted .mtl file to the target application. No privileges are required, and no user interaction is necessary beyond the application processing the malicious file. While the vulnerability does not compromise confidentiality or integrity, it can completely disrupt availability through application crashes.
Root Cause
The root cause is improper input validation in the sscanf() function call used to parse material names from .mtl files. The original code used an unbounded format specifier (%s) when reading strings into a fixed-size buffer (namebuf), which has a defined size of 4096 characters. When a material name exceeds this buffer size, the stack is corrupted, leading to a crash.
Attack Vector
The attack is locally exploitable by providing a maliciously crafted .mtl file to any application that uses the vulnerable tinyobjloader experimental loader. An attacker would create a material file containing an extremely long material name that exceeds the 4096-byte buffer, triggering the stack overflow when the application attempts to parse the file.
Attack scenarios include:
- Uploading malicious 3D model files to applications that support OBJ format
- Sharing crafted material files through collaborative modeling platforms
- Exploiting file preview features in applications that automatically parse model files
// Security patch in experimental/tinyobj_loader_opt.h - fix:buffer overflow
#ifdef _MSC_VER
sscanf_s(token, "%s", namebuf, (unsigned)_countof(namebuf));
#else
- sscanf(token, "%s", namebuf);
+ sscanf(token, "%4095s", namebuf);
#endif
material.name = namebuf;
continue;
Source: GitHub Commit for tinyobjloader
Detection Methods for CVE-2026-29628
Indicators of Compromise
- Application crashes when processing .mtl material files
- Stack corruption or segmentation fault errors in logs related to tinyobjloader
- Presence of unusually large .mtl files with extremely long material names (>4095 characters)
- Debug logs showing buffer overflow or stack smashing detection messages
Detection Strategies
- Monitor for process crashes in applications that parse OBJ/MTL 3D model files
- Implement file size and content validation for uploaded .mtl files before processing
- Use static analysis tools to detect usage of vulnerable tinyobjloader versions in codebases
- Enable stack canary protections (e.g., -fstack-protector) to detect overflow attempts
Monitoring Recommendations
- Configure crash reporting to capture stack traces from affected applications
- Implement input validation to reject .mtl files with abnormally long field values
- Monitor system logs for repeated crashes in 3D rendering or model processing services
- Set up alerts for unusual patterns in file upload endpoints accepting 3D model formats
How to Mitigate CVE-2026-29628
Immediate Actions Required
- Update tinyobjloader to a version containing the security patch (commit 386b73bb8c1a855236beb73b11f45f7feac4e03a or later)
- Audit applications for usage of the experimental tinyobj_loader_opt.h module
- Implement input validation to reject .mtl files from untrusted sources
- Consider using the stable, non-experimental tinyobjloader API if possible
Patch Information
The vulnerability has been addressed in a security patch that adds proper bounds checking to the sscanf() call. The fix limits the string read to 4095 characters using the format specifier %4095s, ensuring the buffer cannot overflow regardless of input size. For additional technical details, refer to the GitHub PoC repository.
Workarounds
- Avoid processing .mtl files from untrusted or unknown sources
- Implement pre-parsing validation to check material name lengths before processing
- Use sandboxing or containerization when running applications that process untrusted 3D model files
- Compile applications with stack protection flags enabled (-fstack-protector-strong)
# Configuration example
# Compile with stack protection enabled
g++ -fstack-protector-strong -D_FORTIFY_SOURCE=2 -o model_viewer model_viewer.cpp
# Validate MTL files before processing (check for long lines)
awk 'length > 4095 { print "Warning: Line too long"; exit 1 }' model.mtl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
