CVE-2026-42481 Overview
CVE-2026-42481 affects Open CASCADE Technology (OCCT) version V8_0_0_rc5, an open-source 3D CAD modeling kernel. The vulnerability spans multiple defects in the IGES and STEP file parsers. A crafted IGES or STEP file can trigger an out-of-bounds read in Geom2d_BSplineCurve::EvalD0 during IGES B-spline curve evaluation, an out-of-bounds read in MakeBSplineCurveCommon during STEP B-spline curve construction, or infinite recursion in StepShape_OrientedEdge::EdgeStart when processing a self-referential OrientedEdge entity. Successful exploitation results in denial of service or unintended memory disclosure. The flaw is categorized under CWE-125 (Out-of-bounds Read).
Critical Impact
A local attacker with low privileges can crash applications that parse IGES or STEP files using OCCT, or read adjacent process memory through crafted CAD geometry.
Affected Products
- Open CASCADE Technology (OCCT) V8_0_0_rc5
- Applications embedding the OCCT IGES file parser
- Applications embedding the OCCT STEP file parser
Discovery Timeline
- 2026-05-01 - CVE-2026-42481 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-42481
Vulnerability Analysis
OCCT processes two widely used CAD interchange formats: IGES (Initial Graphics Exchange Specification) and STEP (Standard for the Exchange of Product Data). Both parsers fail to fully validate geometric entity data before use. The disclosure identifies three distinct defects reachable through crafted input files.
The first defect is an out-of-bounds read in Geom2d_BSplineCurve::EvalD0, triggered while evaluating B-spline curves loaded from IGES files. The second defect is an out-of-bounds read in MakeBSplineCurveCommon, triggered during STEP B-spline curve construction. Both reads can leak adjacent heap memory contents to the parsing process or crash the application.
The third defect is uncontrolled recursion in StepShape_OrientedEdge::EdgeStart. When a STEP file defines an OrientedEdge entity that references itself, the parser recurses without termination and exhausts the call stack, producing a denial-of-service condition.
Root Cause
The parsers trust geometry-defining indices, knot vectors, and entity references contained in input files. They do not verify that array indices remain within allocated bounds before dereferencing, and they do not detect cyclic graph structures in OrientedEdge references before traversal.
Attack Vector
Exploitation requires the victim to open or process a malicious IGES or STEP file with an OCCT-based application. The attack vector is local and requires low privileges, with no user interaction beyond initiating the file load. Impact is limited to availability and incidental memory disclosure; integrity and confidentiality of stored data are not directly affected.
No verified exploit code is publicly available. A demonstration snippet referenced in the disclosure is hosted at the GitHub Gist Code Snippet.
Detection Methods for CVE-2026-42481
Indicators of Compromise
- Unexpected crashes or stack-overflow exceptions in processes that load IGES (.igs, .iges) or STEP (.stp, .step) files.
- Repeated abnormal termination of OCCT-based CAD viewers, converters, or batch processors after opening untrusted files.
- Inbound CAD files originating from external email, web, or file-sharing channels containing self-referential ORIENTED_EDGE entities.
Detection Strategies
- Statically scan inbound IGES and STEP files for ORIENTED_EDGE entities that reference their own entity ID, indicating a recursion trigger.
- Inspect B-spline curve definitions for knot or control-point counts that exceed declared array sizes.
- Run OCCT-based parsing in a sandboxed worker with crash telemetry forwarded to centralized logging.
Monitoring Recommendations
- Forward process crash and segmentation fault events from CAD workstations and conversion servers to a SIEM for correlation.
- Alert on repeated faults of the same OCCT-linked binary across short time windows, which may indicate exploitation attempts.
- Track file provenance for CAD files entering engineering environments and review files from untrusted sources before processing.
How to Mitigate CVE-2026-42481
Immediate Actions Required
- Restrict OCCT-based applications to processing CAD files from trusted sources until a fixed release is deployed.
- Run IGES and STEP parsing inside isolated, low-privilege processes with strict resource and memory limits.
- Inventory internal applications that statically link or bundle OCCT V8_0_0_rc5 and prioritize them for upgrade.
Patch Information
No fixed version is identified in the published advisory at the time of writing. Monitor the Open CASCADE Technology project and the GitHub Gist Code Snippet referenced in the NVD entry for updated builds beyond V8_0_0_rc5 that address the IGES and STEP parser defects.
Workarounds
- Pre-validate IGES and STEP files with a schema or entity-graph checker that rejects self-referential OrientedEdge definitions before passing them to OCCT.
- Apply per-process stack size and CPU time limits (for example, ulimit -s and ulimit -t) to contain recursion-driven denial of service.
- Disable automatic preview rendering of CAD attachments in mail clients and document management systems handling untrusted content.
# Configuration example: contain OCCT parsing in a constrained shell
ulimit -s 8192 # cap stack to mitigate infinite recursion
ulimit -t 30 # cap CPU seconds per parsing job
ulimit -v 1048576 # cap virtual memory (KB)
./occt_parser /path/to/untrusted.step
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
