CVE-2020-28600
Description
An out-of-bounds write vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds write in Openscad's import_stl() function allows code execution via a crafted STL file.
Vulnerability
A CWE-119 out-of-bounds write vulnerability exists in the import_stl() function within import_stl.cc of Openscad version openscad-2020.12-RC2 [1]. The issue occurs when parsing a specially crafted STL file; insufficient bounds checking during vertex processing can lead to memory corruption.
Exploitation
An attacker can exploit this vulnerability by providing a malicious STL file to a user who imports it via the import("file.stl") command [1]. No authentication is required, but user interaction is necessary. The attack vector is local or network-based if the user downloads the file from an untrusted source.
Impact
Successful exploitation results in arbitrary code execution with the privileges of the Openscad process, leading to a complete compromise of confidentiality, integrity, and availability [1]. The CVSSv3 score is 8.8.
Mitigation
As of the report date, no patch or fixed version has been released for openscad-2020.12-RC2 [1]. Users should avoid opening STL files from untrusted sources until an update is provided by the Openscad project.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- osv-coords2 versionspkg:rpm/opensuse/openscad&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/openscad&distro=SUSE%20Package%20Hub%2015%20SP2
< 2019.05-lp152.2.3.1+ 1 more
- (no CPE)range: < 2019.05-lp152.2.3.1
- (no CPE)range: < 2019.05-bp152.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2020-1224mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.