CVE-2026-42478: Open Cascade Technology DOS Vulnerability

CVE-2026-42478 Overview

CVE-2026-42478 is a denial-of-service vulnerability in Open CASCADE Technology (OCCT) version V8_0_0_rc5. The flaw resides in the VrmlData_IndexedFaceSet::TShape function within the VRML V2.0 parser. Attackers can trigger the issue by supplying a crafted Virtual Reality Modeling Language (VRML) file that causes dereference of a corrupt or unvalidated pointer during shape construction in libTKDEVRML.so. The vulnerability is tracked under [CWE-476] (NULL Pointer Dereference) and [CWE-125] (Out-of-bounds Read). Successful exploitation crashes any application that embeds the affected OCCT library when processing the malicious file.

Critical Impact

A remote attacker can crash applications that parse untrusted VRML files using OCCT, disrupting CAD pipelines, 3D visualization services, and conversion workflows that rely on libTKDEVRML.so.

Affected Products

• Open CASCADE Technology 8.0.0 beta1
• Open CASCADE Technology 8.0.0 rc1 through rc4
• Open CASCADE Technology 8.0.0 rc5

Discovery Timeline

• 2026-05-01 - CVE-2026-42478 published to the National Vulnerability Database (NVD)
• 2026-05-01 - Last updated in NVD database

Technical Details for CVE-2026-42478

Vulnerability Analysis

The vulnerability exists in the VRML V2.0 parser shipped with Open CASCADE Technology, an open-source 3D Computer-Aided Design (CAD) toolkit. The VrmlData_IndexedFaceSet::TShape method constructs geometric shape representations from indexed face set definitions parsed from VRML input. The function trusts intermediate pointer values produced earlier in the parsing pipeline without verifying they reference valid objects.

When a malformed VRML file omits required nodes or supplies inconsistent index data, the shape construction logic operates on a corrupt or null pointer. The dereference occurs inside libTKDEVRML.so, the VRML data exchange shared library. The result is an immediate process crash, producing a denial-of-service condition for any host application linking against the library.

Root Cause

The root cause is missing input validation in the VRML parser. The implementation does not confirm that pointers used during IndexedFaceSet shape construction are non-null and reference initialized data structures. CWE-476 captures the null pointer dereference, while CWE-125 reflects the related out-of-bounds read that can occur when corrupt index values are followed during shape assembly.

Attack Vector

Exploitation requires only that a victim application parse a crafted VRML file with the OCCT VRML reader. The attack vector is network-based because VRML files commonly traverse web services, asset pipelines, and shared file repositories. No authentication or user interaction beyond initiating a parse operation is required. Impact is limited to availability — confidentiality and integrity are not affected. A proof-of-concept VRML file is referenced in the GitHub Gist PoC Repository.

Detection Methods for CVE-2026-42478

Indicators of Compromise

• Repeated process crashes or core dumps from binaries linked against libTKDEVRML.so shortly after VRML file ingestion.
• Segmentation faults logged with stack frames originating in VrmlData_IndexedFaceSet::TShape.
• VRML files (.wrl, .vrml) submitted from untrusted sources containing malformed IndexedFaceSet nodes or missing coordinate references.

Detection Strategies

• Inventory systems for installations of Open CASCADE Technology 8.0.0 release candidates and applications that bundle these versions.
• Inspect VRML files in transit for structurally invalid IndexedFaceSet definitions before they reach OCCT-based parsers.
• Correlate application crash telemetry with recent .wrl file ingestion events through your endpoint detection and response (EDR) or Security Information and Event Management (SIEM) platform.

Monitoring Recommendations

• Enable crash reporting and core dump collection on hosts running OCCT-dependent services to capture exploitation attempts.
• Monitor file upload endpoints that accept 3D model formats for anomalous VRML payload sizes or repeated parser failures.
• Track restarts of long-running CAD or visualization services that link libTKDEVRML.so.

How to Mitigate CVE-2026-42478

Immediate Actions Required

• Identify all applications and services that link against OCCT libTKDEVRML.so and inventory their versions.
• Disable VRML parsing in environments that do not require the format until a fixed release is available.
• Restrict VRML file ingestion to trusted, authenticated sources and reject files from untrusted users at upload boundaries.

Patch Information

No vendor-released security patch is referenced in the published advisory data. Monitor the upstream Open CASCADE Technology project for fixed releases beyond V8_0_0_rc5. Until a fix is available, organizations should treat all OCCT 8.0.0 release candidates as vulnerable and apply compensating controls.

Workarounds

• Run OCCT-based parsers inside isolated, resource-limited containers or sandboxes so a crash does not affect the host service.
• Add a pre-parse validation step that rejects VRML files lacking required Coordinate and coordIndex fields before invoking VrmlData_IndexedFaceSet::TShape.
• Implement automatic service restart with exponential backoff to limit availability impact if a crash occurs.

# Configuration example: restrict VRML uploads at a reverse proxy
# nginx fragment rejecting .wrl uploads from untrusted paths
location /upload/ {
    if ($request_filename ~* \.(wrl|vrml)$) {
        return 403;
    }
    client_max_body_size 5m;
}