CVE-2026-42476: Open Cascade Technology DoS Vulnerability

CVE-2026-42476 Overview

CVE-2026-42476 affects Open CASCADE Technology (OCCT) version 8.0.0_rc5, an open source CAD/CAM/CAE geometric modeling library. Two heap-based out-of-bounds read vulnerabilities exist in the STereoLithography (STL) ASCII file parser. The flaws reside in RWStl_Reader::ReadAscii, where buffers returned by Standard_ReadLineBuffer::ReadLine() are not length-validated before being passed to strncasecmp or accessed by direct byte indexing. An attacker who persuades a victim to open a crafted STL file containing extremely short lines can trigger reads beyond allocated heap memory.

Critical Impact

Successful exploitation can cause denial of service through application crashes or potential disclosure of adjacent heap memory contents to attacker-controlled processing logic.

Affected Products

• Open CASCADE Technology 8.0.0 beta1
• Open CASCADE Technology 8.0.0 rc1 through rc4
• Open CASCADE Technology 8.0.0 rc5

Discovery Timeline

• 2026-05-01 - CVE CVE-2026-42476 published to NVD
• 2026-05-01 - Last updated in NVD database

Technical Details for CVE-2026-42476

Vulnerability Analysis

The vulnerability is classified as an out-of-bounds read [CWE-125] in the STL ASCII parser of OCCT. STL ASCII files use a line-oriented format with keywords such as solid, facet, outer, loop, vertex, endloop, endfacet, and endsolid. The OCCT parser reads each line with Standard_ReadLineBuffer::ReadLine() and then performs case-insensitive keyword comparisons or examines specific byte offsets to dispatch parsing logic.

The parser assumes returned lines contain enough bytes to hold the expected keyword. When the STL input contains lines shorter than the comparison length, the underlying calls to strncasecmp or direct byte access read past the end of the heap-allocated line buffer. The flaw is reachable purely through file content with no network exposure required.

Exploitation results in a denial of service when the read crosses an unmapped page boundary, or in possible information disclosure when adjacent heap data influences subsequent parser decisions. The local attack vector and required user interaction reflect that a victim must open the malicious STL file in an OCCT-based application.

Root Cause

The root cause is missing length validation between the line-reading layer and the keyword-matching layer. RWStl_Reader::ReadAscii trusts that each returned buffer holds at least as many bytes as the longest token it inspects. Empty lines, single-character lines, and other very short inputs violate this assumption and cause strncasecmp to compare uninitialized or out-of-bounds bytes.

Attack Vector

The attack requires a user to open a crafted STL file using an OCCT-linked application. The malicious file contains extremely short lines, including possibly empty lines or lines with only one or two bytes before the line terminator. When RWStl_Reader::ReadAscii advances through these lines, the comparison routines read beyond the buffer boundary on the heap. See the GitHub Gist PoC Code for technical details.

Detection Methods for CVE-2026-42476

Indicators of Compromise

• STL files that contain unusually short lines, empty lines, or truncated keywords inconsistent with the STL ASCII grammar.
• Application crashes or unexpected termination in processes that link TKRWMesh or other OCCT modules during file open operations.
• Heap diagnostic alerts (ASan, Application Verifier, PageHeap) firing inside RWStl_Reader::ReadAscii or Standard_ReadLineBuffer::ReadLine.

Detection Strategies

• Hunt for processes that load OCCT libraries and subsequently crash while reading files with the .stl extension.
• Inspect STL files at ingestion points using a validator that rejects lines shorter than the smallest valid STL keyword.
• Correlate user-opened CAD attachments with subsequent process exits or watchdog restarts on engineering workstations.

Monitoring Recommendations

• Monitor crash telemetry from CAD/CAM/CAE applications and engineering tools that embed OCCT.
• Log file open events for STL files originating from email, web downloads, or removable media on workstations used by design teams.
• Track installed OCCT versions across the environment and flag any host running 8.0.0 release candidates.

How to Mitigate CVE-2026-42476

Immediate Actions Required

• Inventory all applications and internal tools that statically or dynamically link OCCT 8.0.0_rc5 or earlier release candidates.
• Restrict opening STL files to trusted sources until a fixed OCCT build is deployed across affected systems.
• Apply heap-hardening flags such as -fsanitize=address in development builds to surface any in-house code paths exercising the vulnerable parser.

Patch Information

No vendor advisory URL is published in the NVD record at the time of writing. Track upstream Open CASCADE Technology releases for a stable version that supersedes the 8.0.0 release candidate series, and rebuild downstream applications against the patched library once available. Refer to the GitHub Gist PoC Code for reproduction details that can validate any backported fix.

Workarounds

• Pre-validate STL ASCII files with a strict parser that rejects empty or sub-keyword-length lines before passing them to OCCT.
• Process untrusted STL files inside a sandbox or container with constrained memory and no access to sensitive data.
• Disable automatic preview or thumbnail generation for STL files in file managers and CAD viewers on shared workstations.

# Configuration example: reject STL files containing lines shorter than 4 bytes
awk 'length($0) < 4 { print FILENAME": short line at "NR; bad=1 } END { exit bad }' suspect.stl