| Título | Assimp commit 17c12da Double Free |
|---|
| Descrição | A critical double-free memory corruption vulnerability exists in Assimp Library's PLY model parsing and exporting module. The flaw stems from conflicting memory ownership management of aiScene and aiMesh objects during model loading and exporting operations. When loading a maliciously crafted PLY model file via Assimp::Importer::ReadFileFromMemory and directly passing the returned const aiScene* object to Assimp::Exporter::ExportToBlob, duplicate memory release operations are triggered. The ExportToBlob function takes ownership of the scene object through std::unique_ptr<aiScene> and frees the associated aiMesh memory during pointer destruction. Subsequently, the Assimp::Importer destructor attempts to free the already released mesh memory again, resulting in a valid double-free corruption. This vulnerability occurs due to unreasonable memory ownership rules between the importer and exporter modules, causing redundant release of heap memory allocated by the PLY format loader. Remote attackers can exploit this flaw by supplying a malformed PLY model file, triggering memory corruption and program crash to cause a denial-of-service (DoS) condition, and potentially enabling arbitrary code execution or sensitive memory information disclosure. |
|---|
| Fonte | ⚠️ https://github.com/assimp/assimp/issues/6620 |
|---|
| Utilizador | TYGLS (UID 94774) |
|---|
| Submissão | 01/06/2026 08h11 (há 1 mês) |
|---|
| Moderação | 03/07/2026 15h44 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 376112 [Open Asset Import Library Assimp até 6.0.4 PLY Model PlyLoader.cpp ExportToBlob Excesso de tampão] |
|---|
| Pontos | 20 |
|---|