CVE-2026-42477 Overview
CVE-2026-42477 is a heap-based out-of-bounds read vulnerability in the OBJ file parser of Open CASCADE Technology (OCCT) version 8.0.0_rc5. The flaw resides in RWObj_Reader::read, which processes Wavefront OBJ geometry files. An attacker who convinces a user to open a crafted OBJ file can trigger a denial of service or read adjacent heap memory, potentially exposing sensitive process data. The vulnerability is tracked under CWE-125: Out-of-bounds Read and affects all 8.0.0 pre-release builds (beta1 through rc5).
Critical Impact
User-assisted attackers can crash OCCT-based CAD applications or exfiltrate heap memory contents by delivering a malicious OBJ file.
Affected Products
- Open CASCADE Technology 8.0.0 beta1
- Open CASCADE Technology 8.0.0 rc1 through rc4
- Open CASCADE Technology 8.0.0 rc5
Discovery Timeline
- 2026-05-01 - CVE-2026-42477 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-42477
Vulnerability Analysis
Open CASCADE Technology is an open-source 3D modeling and CAD development kit used in engineering, simulation, and visualization software. The RWObj_Reader component parses Wavefront OBJ files, a common interchange format for 3D geometry. The vulnerability allows an attacker to read memory beyond an allocated heap buffer when the parser processes a malformed OBJ line.
The consequences include process termination through segmentation fault or disclosure of sensitive heap-resident data such as pointers, configuration values, or fragments of other parsed assets. Exploitation requires local file access and user interaction, narrowing the attack surface to scenarios where a victim opens an attacker-supplied model file.
Root Cause
The root cause is missing buffer-length validation in RWObj_Reader::read(). The helper function Standard_ReadLineBuffer::ReadLine() may return a line buffer as small as one byte for a minimal OBJ input. Despite this, RWObj_Reader::read() invokes pushIndices(aLine + 2) without confirming that the buffer contains at least three bytes. The pointer arithmetic then advances past the allocated region, causing subsequent reads to access out-of-bounds heap memory.
Attack Vector
The attack vector is local and requires user interaction. An attacker crafts a minimal OBJ file containing a short line, such as a single character followed by a newline, that satisfies the parser's line-read step but underflows the length expectation of pushIndices. The victim opens the file in any application built on OCCT 8.0.0 pre-release builds. Parsing proceeds until the out-of-bounds read either crashes the process or returns adjacent memory contents that influence downstream parsing logic.
The vulnerability mechanism is documented in the GitHub Gist Security Reference. No public proof-of-concept exploit or vendor advisory was available at publication.
Detection Methods for CVE-2026-42477
Indicators of Compromise
- Unexpected crashes or segmentation faults in CAD or visualization applications immediately after opening an OBJ file.
- OBJ files with truncated or single-character lines that do not conform to the Wavefront OBJ specification.
- Application logs referencing RWObj_Reader::read or Standard_ReadLineBuffer::ReadLine faults.
Detection Strategies
- Inspect inbound OBJ files for malformed or abnormally short lines using a pre-processing validator before passing them to OCCT.
- Run OCCT-based applications under AddressSanitizer (ASan) in test environments to surface heap out-of-bounds reads during file ingestion.
- Correlate process crash telemetry with recent OBJ file open events on engineering workstations.
Monitoring Recommendations
- Monitor endpoint EDR telemetry for crashes of CAD processes that load OCCT libraries (TKRWMesh, TKMesh).
- Alert on email or file-share delivery of OBJ attachments from untrusted senders to engineering and design teams.
- Capture core dumps from affected workstations to support post-incident triage of suspected exploitation.
How to Mitigate CVE-2026-42477
Immediate Actions Required
- Avoid opening OBJ files from untrusted sources in any application built on OCCT 8.0.0 pre-release versions.
- Inventory engineering and visualization applications to identify those linked against vulnerable OCCT builds.
- Restrict OBJ file ingestion in automated pipelines until validation is in place.
Patch Information
No vendor patch reference is listed in the NVD record at the time of publication. Track the Open CASCADE Technology project for a fixed release beyond 8.0.0_rc5 and apply it once available. Until then, downgrade to a stable OCCT release that does not contain the vulnerable RWObj_Reader::read code path.
Workarounds
- Pre-validate OBJ files with a strict parser that rejects lines shorter than the minimum length required by the Wavefront OBJ specification.
- Sandbox CAD applications using OS-level isolation such as Windows AppContainer, macOS App Sandbox, or Linux seccomp profiles to contain crashes and memory disclosure.
- Disable automatic preview or thumbnail generation for OBJ files in file managers and asset pipelines.
# Example pre-validation: reject OBJ files containing lines shorter than 3 bytes
awk 'length($0) < 3 { print FILENAME": short line at "NR; exit 1 }' suspect.obj
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
