CVE-2026-42479: Open Cascade Technology DoS Vulnerability

CVE-2026-42479 Overview

CVE-2026-42479 is an out-of-bounds read vulnerability in the Virtual Reality Modeling Language (VRML) parser of Open CASCADE Technology (OCCT) version 8.0.0 rc5. The flaw resides in the VrmlData_IndexedLineSet::TShape function, which processes geometric line set data during VRML file parsing. Attackers can trigger the vulnerability by supplying a crafted VRML file that contains coordIndex values exceeding the bounds of the coordinate array. The parser uses these attacker-controlled indices directly without validation, causing the application to read memory outside the intended buffer. Successful exploitation results in a denial-of-service condition affecting any application that embeds OCCT for 3D model processing.

Critical Impact

A crafted VRML file processed by an OCCT-based application causes an out-of-bounds read in VrmlData_IndexedLineSet::TShape, terminating the host process and producing a denial of service.

Affected Products

• Open CASCADE Technology 8.0.0 beta1
• Open CASCADE Technology 8.0.0 rc1 through rc4
• Open CASCADE Technology 8.0.0 rc5

Discovery Timeline

• 2026-05-01 - CVE-2026-42479 published to NVD
• 2026-05-01 - Last updated in NVD database

Technical Details for CVE-2026-42479

Vulnerability Analysis

Open CASCADE Technology is an open-source 3D modeling and computer-aided design (CAD) kernel used in engineering applications, simulation tools, and CAD software. The library includes a VRML parser to import legacy 3D scene files described in the Virtual Reality Modeling Language format.

The vulnerability is classified as an out-of-bounds read [CWE-125]. It occurs inside VrmlData_IndexedLineSet::TShape, the function that constructs an indexed line set shape from parsed VRML input. An indexed line set defines geometry through two arrays: a coordinate array containing 3D points and a coordIndex array referencing those points by integer index. The parser dereferences each coordIndex entry as a direct subscript into the coordinate array.

Processing terminates the host application abnormally, which prevents the calling tool from completing its workflow. Because the parser runs with the privileges of the importing process, the impact extends to any pipeline that automatically ingests VRML content.

Root Cause

The root cause is missing bounds validation. OCCT reads the coordIndex values from the input file and applies them as array indices into the coordinate buffer without checking whether each index is within the size of that buffer. When an index exceeds the array length, the function reads memory outside the allocated region and dereferences invalid data during geometry construction.

Attack Vector

Exploitation requires local access and user interaction. An attacker delivers a malicious .wrl or .vrml file to a victim and convinces the user to open it in an application that links against OCCT. Network exploitation is not directly possible, but file-sharing channels, email attachments, and design asset repositories provide realistic delivery paths. A proof-of-concept demonstrating the crash is available in a public GitHub Gist.

The vulnerability cannot be used for code execution or information disclosure based on the published analysis. The outcome is restricted to high availability impact through process termination.

Detection Methods for CVE-2026-42479

Indicators of Compromise

• Unexpected crashes or segmentation faults in CAD, simulation, or visualization applications immediately after loading a VRML file.
• Crash dumps referencing VrmlData_IndexedLineSet::TShape or related VRML parsing symbols inside TKVRML or TKDataXtd modules.
• VRML files containing coordIndex entries with values larger than the declared Coordinate point array length.

Detection Strategies

• Static-scan inbound VRML files for coordIndex integers that exceed the count of points in the associated Coordinate node before passing them to OCCT.
• Run OCCT-based file parsers inside sandboxed processes and treat abnormal exits during VRML import as a security event.
• Hash-match known proof-of-concept files referenced in public advisories at email and file-share gateways.

Monitoring Recommendations

• Monitor application crash telemetry on engineering workstations for repeated faults in OCCT modules.
• Audit file ingestion services that batch-process 3D assets for unexpected worker restarts when handling VRML inputs.
• Alert on VRML files arriving from untrusted external sources that target users of CAD or 3D modeling software.

How to Mitigate CVE-2026-42479

Immediate Actions Required

• Inventory all internal applications, plugins, and build artifacts that statically or dynamically link against Open CASCADE Technology 8.0.0 release candidates.
• Restrict opening of untrusted VRML files in OCCT-based applications until a fixed release is deployed.
• Isolate automated 3D asset processing pipelines so that a parser crash does not disrupt shared services.

Patch Information

No vendor advisory or fixed release was published at the time of NVD disclosure. Track the Open CASCADE Technology project for updates beyond version 8.0.0 rc5 that introduce bounds checking on coordIndex values inside VrmlData_IndexedLineSet::TShape. Until a patched build is available, downgrade to a confirmed unaffected stable release if one is supported by your toolchain.

Workarounds

• Block or quarantine VRML files (.wrl, .vrml) at email and web gateways when they originate from untrusted senders.
• Pre-validate coordIndex arrays against the Coordinate point count using a hardened pre-parser before handing files to OCCT.
• Run viewers and converters that depend on OCCT under reduced privileges and within process sandboxes to contain crash impact.

# Configuration example: block VRML attachments at a Postfix gateway
# /etc/postfix/mime_header_checks
/name=[^>]*\.(wrl|vrml)/   REJECT VRML attachments are blocked pending CVE-2026-42479 remediation
/Content-Type:.*model\/vrml/ REJECT VRML content type blocked pending CVE-2026-42479 remediation