CVE-2020-13498
Description
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access which could lead to information disclosure. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pixar OpenUSD 20.05 is vulnerable to out-of-bounds memory read during parsing of malformed files, leading to information disclosure.
Vulnerability
Pixar OpenUSD version 20.05 contains an out-of-bounds read vulnerability (CWE-125) in its handling of specially crafted encoded types within the USD binary file format [1]. The flaw exists in the parsing of the FIELDS section's compressed array of 64-bit integers; the encoding uses the top three bits to specify inline, compressed, or array values, but lacks proper bounds checking on offsets derived from the remaining 48 bits [1]. An attacker can trigger an arbitrary out-of-bounds memory access by providing a malformed USD file. Affected versions include Pixar OpenUSD 20.05, and the vulnerability is reachable on Apple macOS Catalina 10.15.3 via the ModelIO framework [1].
Exploitation
To exploit this vulnerability, an attacker must provide a specially crafted USD file to a victim [1]. No authentication or special network position is required; the victim only needs to open the file. On macOS, USD files are automatically processed to generate thumbnails, and on iOS they can be shared via iMessage and opened with user interaction [1]. The attacker does not need any prior access to the system. The exploitation sequence involves crafting a USD binary file that encodes invalid offsets in the compressed array, causing the parser to read memory outside the intended buffer [1].
Impact
Successful exploitation leads to an out-of-bounds memory read, which can disclose sensitive information from the process's address space [1]. This information disclosure can be used to bypass memory mitigations (e.g., ASLR) and aid further exploitation of the system [1]. The CVSSv3 score is 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N), indicating low confidentiality impact with no direct integrity or availability impact [1]. The attacker gains no code execution or privilege escalation directly from this bug, but the memory leak can weaken security boundaries for subsequent attacks [1].
Mitigation
The vendor (Pixar) is aware and a fix is required; no patched version is mentioned in the available references as of the advisory date (December 2020) [1]. Users should apply any future updates from Pixar for OpenUSD. On Apple platforms, limiting processing of untrusted USD files and disabling automatic thumbnail generation can reduce exposure [1]. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: Catalina 10.15.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.