Assimp: Five Memory-Safety Bugs Disclosed in glTF and FBX Parsers
Five memory-safety vulnerabilities — including null pointer dereferences, a heap buffer overflow, and a divide-by-zero — were disclosed in the Assimp 3D model library, all with public exploits.
Key findings
- Five memory-safety bugs disclosed together in Assimp up to v6.0.4
- Four of the five CVEs are null pointer dereferences in glTF import code
- One medium-severity heap buffer overflow in glTF 4x4 matrix parsing (CVE-2026-10200)
- One divide-by-zero in the FBX exporter's UV channel handler (CVE-2026-10201)
- All five vulnerabilities have publicly available exploit code
- No patch released yet; users should monitor the Assimp GitHub repo
The open-source 3D model import library Assimp (Open Asset Import Library) disclosed five vulnerabilities on May 31–June 1, 2026, affecting all versions up to and including 6.0.4. The batch clusters around memory-safety bugs — null pointer dereferences, a heap-based buffer overflow, and a divide-by-zero — all of which require local access to exploit, making them a concern for developers and applications that process untrusted 3D model files on shared or multi-user systems.
Four of the five CVEs involve null pointer dereference flaws in the glTF (GL Transmission Format) import pipeline. CVE-2026-10199 resides in the glTF2::LazyDict function within glTF2Asset.h, where manipulating the operator[] argument can trigger a null pointer dereference. CVE-2026-10198 affects the Assimp::glTFImporter::ImportMeshes function in glTFImporter.cpp, also leading to a null pointer dereference. CVE-2026-10197 is found in the glTF2Importer::ImportEmbeddedTextures function inside code/AssetLib/glTF2/glTF2Importer.cpp, again a null pointer dereference in the glTF2 file handler. All three are rated Low severity with a CVSSv3 score of 3.3.
A fifth null-pointer issue was not part of this batch but the pattern is consistent: the glTF code paths lack proper null checks on user-supplied data. The remaining two CVEs cover different bug classes. CVE-2026-10200, rated Medium (CVSSv3 5.3), is a heap-based buffer overflow in the glTFCommon::CopyValue function within glTFCommon.h, triggered during parsing of a 4x4 matrix. CVE-2026-10201, rated Low (CVSSv3 3.3), is a divide-by-zero vulnerability in the FBXExporter::WriteObjects function of FBXExporter.cpp, affecting the UV channel handler in the FBX export path.
All five vulnerabilities have publicly disclosed exploits, according to the CVE descriptions. While local-access requirements limit the immediate remote-attack surface, the availability of proof-of-concept code increases risk in scenarios where Assimp is used as a library in server-side or cloud-based 3D asset processing pipelines, or in desktop applications that open model files from untrusted sources.
As of this disclosure, no official patch or updated release beyond 6.0.4 has been announced by the Assimp project. Users and downstream integrators should monitor the Assimp GitHub repository for a patched release. In the interim, developers can mitigate risk by validating and sanitizing all glTF and FBX input files before passing them to the library, and by running Assimp in sandboxed or least-privilege environments.
This batch underscores a recurring theme in Assimp's vulnerability history: the library's complex format parsers, particularly for glTF, remain a source of memory-safety bugs. With glTF becoming the standard interchange format for 3D content on the web and in game engines, the Assimp project would benefit from focused fuzzing and memory-safe rewrites of its glTF import and export code paths.