Assimp: Five Memory-Safety Bugs Disclosed in glTF and FBX Parsers
Five memory-safety bugs — four null pointer dereferences and a heap buffer overflow — were disclosed in the Assimp 3D library, with exploit code already public and no patch available.
Key findings
- Five memory-safety bugs disclosed together in Assimp up to v6.0.4
- Four null pointer dereferences in glTF import code (CVE-2026-10197, CVE-2026-10198, CVE-2026-10199)
- One medium-severity heap buffer overflow in glTF 4x4 matrix parsing (CVE-2026-10200)
- One divide-by-zero in the FBX exporter's UV channel handler (CVE-2026-10201)
- All five vulnerabilities have publicly available exploit code
- No patch released yet; users should monitor the Assimp GitHub repo
Five memory-safety vulnerabilities were disclosed together on May 31–June 1, 2026 in Assimp (Open Asset Import Library), the widely used open-source 3D model import library, affecting all versions up to and including 6.0.4. Four of the five CVEs are null pointer dereferences in the glTF import code path, while the fifth is a heap-based buffer overflow in the 4x4 matrix parser — and exploit code for all five has been made public Vypr Intelligence. No patch has been released as of publication.
Four of the five bugs are null pointer dereferences clustered in the glTF2 importer. CVE-2026-10197 (CVSS 3.3, Low) triggers a null pointer dereference in glTF2Importer::ImportEmbeddedTextures inside code/AssetLib/glTF2/glTF2Importer.cpp when handling embedded texture data. CVE-2026-10198 (CVSS 3.3, Low) hits the same bug class in Assimp::glTFImporter::ImportMeshes in glTFImporter.cpp. CVE-2026-10199 (CVSS 3.3, Low) is a null pointer dereference in glTF2::LazyDict::operator[] in glTF2Asset.h. All three require local access to exploit.
The fourth null-pointer bug is CVE-2026-10197 (already noted above as part of the same cluster). The medium-severity outlier is CVE-2026-10200 (CVSS 5.3), a heap-based buffer overflow in glTFCommon::CopyValue inside glTFCommon.h during parsing of a 4x4 matrix. Unlike the null-pointer group, this overflow can be triggered remotely, making it the most dangerous of the batch. A fifth CVE, CVE-2026-10201, a divide-by-zero in the FBX exporter's UV channel handler, rounds out the disclosure Vypr Intelligence.
All five vulnerabilities have publicly available exploit code, which significantly raises the risk for any application or service that ingests untrusted 3D model files via Assimp. The library is embedded in game engines, CAD tools, and content pipelines across the industry, meaning a crafted glTF or FBX file could crash a process or, in the case of the heap overflow, potentially lead to code execution.
As of June 1, 2026, no patch has been released. The Assimp maintainers have not yet published a fixed version. Users of Assimp up to and including version 6.0.4 are advised to monitor the Assimp GitHub repository for a security release and, in the interim, avoid processing untrusted 3D model files with the affected parsers.
This batch underscores a recurring pattern in Assimp's security history: the glTF and FBX parsers, which handle complex, nested data structures, continue to be a source of memory-safety bugs. With exploit code already public and no fix available, the window of exposure is open — users should treat any untrusted glTF or FBX file as a potential attack vector until a patched version ships.