CVE-2020-13520
Description
An out of bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 reconstructs paths from binary USD files. A specially crafted malformed file can trigger an out of bounds memory modification which can result in remote code execution. To trigger this vulnerability, victim needs to access an attacker-provided malformed file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pixar OpenUSD 20.05 has an out-of-bounds memory corruption in path reconstruction from binary USD files, leading to remote code execution.
Vulnerability
An out-of-bounds memory corruption vulnerability exists in Pixar OpenUSD version 20.05 when reconstructing SDF paths from specially crafted binary USD files. The flaw resides in the CrateFile::_BuildDecompressedPathsImpl function, which processes pathIndexes, elementTokenIndexes, and jumps arrays from the PATHS section. Insufficient bounds checking during index lookups can cause a write beyond allocated memory. The issue is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) [2].
Exploitation
To exploit this vulnerability, an attacker must provide a malformed USD binary file that triggers an out-of-bounds memory modification during parsing. The victim must open the malicious file using an application that relies on OpenUSD, such as Apple's ModelIO framework (used by SceneKit and ARKit). On macOS, USD thumbnails may be automatically rendered, while on iOS, user interaction (e.g., opening a shared file via iMessage) is required [2]. No authentication or special network position is needed; the attack vector is remote via file delivery.
Impact
Successful exploitation can lead to arbitrary code execution with the privileges of the application processing the file. The CVSSv3 score is 8.8 (High) with impacts on confidentiality, integrity, and availability all rated as HIGH [2]. On Apple platforms, this could allow a malicious USD file to execute arbitrary code with system privileges, as indicated by related CVE-2020-27914 [1].
Mitigation
Apple addressed this vulnerability in macOS Big Sur 11.1, Security Update 2020-001 Catalina, and Security Update 2020-007 Mojave released on December 14, 2020, by improving input validation (CVE-2020-27914) [1]. Upstream Pixar OpenUSD users should update to a version newer than 20.05, as the fix is included in later releases. No workaround is available if the software cannot be updated.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Pixar/OpenUSDdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on pathIndexes values allows out-of-bounds writes to the _paths vector in _BuildDecompressedPathsImpl."
Attack vector
An attacker crafts a malformed USD binary file containing oversized pathIndexes values in the PATHS section. When a victim opens this file (e.g., via macOS thumbnail rendering, iMessage, or the sdfdump tool), the _BuildDecompressedPathsImpl function uses these attacker-controlled indices to write SdfPath objects into the _paths vector without bounds checking [ref_id=1]. Because pathIndexes are 32-bit integers, a large value causes out-of-bounds memory writes at lines [1] and [2] of the code, potentially leading to remote code execution [CWE-119]. The victim only needs to access the malformed file; no special privileges are required.
Affected code
The vulnerable function is CrateFile::_BuildDecompressedPathsImpl in USD-20.05/pxr/usd/usd/crateFile.cpp (line 3461 in the crash trace). The bug occurs at the two write sites labeled [1] and [2] in the code snippet, where pathIndexes[thisIndex] is used to index into the _paths vector without bounds validation [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the root cause is clear: the code at _BuildDecompressedPathsImpl uses pathIndexes[thisIndex] to index into the _paths vector without verifying that the index is within the vector's bounds [ref_id=1]. A proper fix would add a bounds check on pathIndexes values before they are used as array indices at lines [1] and [2] of the code snippet. The advisory recommends that users update to a patched version of OpenUSD when available; no official patch is shown in the provided bundle.
Preconditions
- inputAttacker must provide a malformed USD binary file with crafted pathIndexes values exceeding the _paths vector bounds.
- networkNo network access required; the victim must open the file locally (e.g., via file system, iMessage, or thumbnail rendering).
- authNo authentication required.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- support.apple.com/kb/HT212011mitrex_refsource_CONFIRM
- talosintelligence.com/vulnerability_reports/TALOS-2020-1120mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.