CVE-2026-14604 in Assimpinfo

Summary

by MITRE • 07/03/2026

A vulnerability was determined in Open Asset Import Library Assimp up to 6.0.4. Affected is the function Assimp::Exporter::ExportToBlob of the file code/AssetLib/Ply/PlyLoader.cpp of the component PLY Model Handler. This manipulation causes double free. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/05/2026

The Open Asset Import Library Assimp vulnerability resides within its PLY Model Handler component, specifically in the Assimp::Exporter::ExportToBlob function located in code/AssetLib/Ply/PlyLoader.cpp. This flaw represents a critical memory management issue that manifests as a double free condition, where the same memory block is deallocated twice during the export process of PLY (Polygon File Format) model files. The vulnerability affects all versions up to and including 6.0.4, making it a widespread concern for any system utilizing Assimp for 3D asset processing.

The technical exploitation of this vulnerability occurs through manipulation of PLY file structures that are processed by the Exporter::ExportToBlob function. When an attacker crafts a malicious PLY file and triggers the export functionality, the double free condition is triggered during memory deallocation operations. This type of vulnerability falls under CWE-415, which specifically addresses double free conditions in memory management implementations. The flaw creates a situation where heap corruption occurs, potentially allowing attackers to execute arbitrary code or cause denial of service conditions.

The remote exploitation capability of this vulnerability presents significant operational risks as it can be initiated through network-based attacks without requiring local system access. This means that any application or service using Assimp for PLY file processing could become vulnerable to remote code execution or system compromise simply by processing untrusted PLY content. The public disclosure of the exploit increases the likelihood of real-world attacks, making this vulnerability particularly dangerous in production environments where 3D asset handling is common.

Organizations utilizing Assimp for 3D model import and export operations should immediately implement mitigations to protect against potential exploitation. The primary recommendation involves upgrading to a patched version of Assimp beyond 6.0.4 where the double free condition has been addressed through proper memory management practices. Additionally, implementing strict input validation and sanitization for all PLY files processed by applications using Assimp can serve as an effective defensive measure. From an ATT&CK framework perspective, this vulnerability maps to T1203 - Exploitation for Client Execution and T1499 - Endpoint Denial of Service, highlighting both the execution and denial of service attack vectors that could be leveraged.

The exploitation scenario typically involves an attacker uploading or transmitting a malicious PLY file to a system running vulnerable Assimp implementations. When the application processes this file through the Exporter::ExportToBlob function, the double free condition triggers heap corruption that can be manipulated to achieve arbitrary code execution. This makes the vulnerability particularly dangerous in web applications, content management systems, and 3D rendering services that accept user-uploaded assets without proper validation. Security teams should conduct immediate assessment of all systems utilizing Assimp components and implement network segmentation or application firewalls to limit exposure until full patching is completed.

The impact extends beyond simple code execution as the memory corruption can potentially lead to information disclosure, privilege escalation, or complete system compromise depending on the execution environment and privileges of the affected process. Given that Assimp is widely used in game engines, CAD software, 3D modeling applications, and various multimedia frameworks, the potential attack surface for this vulnerability is extensive. Organizations should also consider implementing runtime monitoring and intrusion detection systems to identify potential exploitation attempts targeting this specific memory management flaw.

Responsible

VulDB

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00233

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!