CVE-2020-13531

Vulnerability

A use-after-free vulnerability exists in Pixar OpenUSD version 20.08 when processing reference paths in textual USD files. The flaw resides in the _EvalRefOrPayloadArcs function during scene composition, where a freed memory pointer is reused, leading to memory corruption. The vulnerability is triggered when a victim opens a malformed USD file provided by an attacker [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious USD file with specially crafted reference paths. No authentication or special network position is required; the victim only needs to open the file using an application that relies on OpenUSD, such as those on macOS or iOS that use the ModelIO framework. User interaction is necessary, as the victim must open the file (e.g., via iMessage or by viewing a thumbnail on macOS) [1].

Impact

Successful exploitation results in arbitrary code execution with the privileges of the victim. The use-after-free can lead to further memory corruption, potentially allowing an attacker to execute arbitrary code, read sensitive information, or cause a denial of service. The CVSSv3 score is 8.8, indicating high impact on confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2020-12-03), no official patch or fixed version of OpenUSD has been released. Users are advised to avoid opening untrusted USD files from unknown sources. On macOS and iOS, disabling automatic thumbnail generation for USD files may reduce exposure. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].