CVE-2020-13496

Vulnerability

A vulnerability exists in Pixar OpenUSD version 20.05, specifically within the parsing of certain encoded types in the TfToken Type Index. A specially crafted malformed USD file can trigger an arbitrary out-of-bounds memory access due to improper handling of a compressed array of 64-bit integers in the FIELDS section. This can lead to reading data beyond allocated buffers. The affected product is also used on Apple macOS Catalina 10.15.3 as part of the ModelIO framework [1].

Exploitation

An attacker needs to provide a malformed USD file to a victim. The victim must open this file using an application that relies on Pixar OpenUSD 20.05, such as macOS thumbnail rendering (which occurs automatically) or via user interaction on iOS through iMessage. No authentication or network access is required beyond delivering the file. The out-of-bounds read is triggered when the parser processes the encoded array [1].

Impact

Successful exploitation results in information disclosure due to the out-of-bounds read. The vulnerability has a CVSSv3 score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N), indicating low impact on confidentiality and no impact on integrity or availability. It cannot directly achieve code execution, but could be used to bypass mitigations and aid further exploitation [1].

Mitigation

As of the available references, no official patch or fixed version has been disclosed by Pixar for OpenUSD 20.05. Users are advised to follow vendor updates and exercise caution when opening USD files from untrusted sources. Apple may address this in future macOS updates. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].