CVE-2023-35951 in libigl
Summary
by MITRE • 05/28/2024
Multiple stack-based buffer overflow vulnerabilities exist in the readOFF.cpp functionality of libigl v2.4.0. A specially-crafted .off file can lead to a buffer overflow. An attacker can arbitrary code execution to trigger these vulnerabilities.This vulnerability exists within the code responsible for parsing geometric vertices of an OFF file.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/27/2025
The vulnerability identified as CVE-2023-35951 represents a critical stack-based buffer overflow in the libigl library version 2.4.0, specifically within the readOFF.cpp component responsible for parsing OFF (Object File Format) files. This library is widely utilized in computational geometry applications, computer graphics, and scientific computing environments where 3D mesh data processing is essential. The flaw manifests when the library encounters specially crafted OFF files containing malformed vertex data, creating a condition where insufficient input validation allows malicious data to overwrite adjacent stack memory locations. The vulnerability stems from improper bounds checking during the parsing of geometric vertex coordinates, where the application fails to verify that incoming vertex data fits within allocated memory buffers before copying operations occur.
The technical implementation of this vulnerability aligns with CWE-121 Stack-based Buffer Overflow, which occurs when a program writes data beyond the boundaries of a fixed-length stack buffer. In this case, the readOFF.cpp functionality processes vertex data from OFF files without adequate validation of array dimensions or element counts, allowing an attacker to craft an OFF file containing excessive vertex coordinates that exceed the predetermined buffer size. The attack vector is particularly concerning as it requires no privileged access or special conditions beyond the ability to provide a malicious file to an application using libigl, making it a classic example of a remote code execution vulnerability. The vulnerability's exploitation potential is enhanced by the fact that OFF files are commonly used in 3D modeling workflows and scientific visualization tools, creating numerous potential attack surfaces.
The operational impact of this vulnerability extends across multiple domains where libigl is integrated, including academic research environments, commercial 3D modeling software, and scientific visualization platforms. An attacker who successfully exploits this vulnerability could execute arbitrary code with the privileges of the affected application, potentially leading to complete system compromise. The attack requires only the delivery of a malicious OFF file to a target system running vulnerable software, making it particularly dangerous in environments where users frequently open 3D model files from untrusted sources. This vulnerability directly maps to ATT&CK technique T1203, which covers exploitation of remote services, and T1059, covering command and scripting interpreter usage, as the successful exploitation would likely involve executing malicious code within the application's execution context.
Mitigation strategies for CVE-2023-35951 should prioritize immediate patching of libigl to version 2.4.1 or later, which contains the necessary fixes for the buffer overflow conditions. Organizations should implement input validation measures that restrict OFF file processing to known good formats and establish strict limits on vertex count and coordinate values during parsing operations. Additionally, application developers using libigl should consider implementing defensive programming practices such as bounds checking, memory sanitization, and input validation routines that prevent buffer overflows regardless of the underlying library version. Network-level defenses including file type filtering and sandboxing mechanisms can provide additional protection layers, particularly in environments where users may encounter untrusted OFF files. The vulnerability highlights the importance of regular security updates and comprehensive testing of third-party libraries in security-conscious environments where 3D mesh processing is integral to workflow operations.