CVE-2020-28599
Description
A stack-based buffer overflow vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in OpenSCAD's STL import allows code execution via a crafted .stl file.
Vulnerability
A stack-based buffer overflow exists in the import_stl() function of OpenSCAD version openscad-2020.12-RC2 when parsing specially crafted STL files. The vulnerability occurs during the processing of vertex coordinates in the STL file, where insufficient bounds checking leads to a stack buffer overflow [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious STL file to a user who imports it into OpenSCAD using the import("file.stl"); command. No authentication is required, and the attack vector is local (user interaction required). The attacker must craft the STL file to trigger the overflow during the parsing of vertex data [1].
Impact
Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the OpenSCAD process. This can lead to full compromise of the affected system, including confidentiality, integrity, and availability impacts (CVSS 8.8) [1].
Mitigation
As of the publication date (2021-02-24), no official patch has been released for OpenSCAD. The vulnerability affects openscad-2020.12-RC2. Users are advised to avoid importing STL files from untrusted sources until a fix is provided [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Openscad/openscaddescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFXQZK6BAYARVVWBBXDKPVPN3N77PPDX/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRHYUWXQ7QQIC6TXDYYLYFFF7B7L3EBD/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202107-35mitrevendor-advisoryx_refsource_GENTOO
- talosintelligence.com/vulnerability_reports/TALOS-2020-1223mitrex_refsource_MISC
- www.talosintelligence.com/vulnerability_reports/TALOS-2020-1224mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.