CVE-2020-28602
Description
Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Halfedge_of[].
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read vulnerability in CGAL's Nef polygon parsing (PM_io_parser::read_vertex) allows code execution via a crafted file.
Vulnerability
An out-of-bounds read vulnerability exists in the Nef_2/PM_io_parser.h file of CGAL libcgal version 5.1.1, specifically in the PM_io_parser::read_vertex() function when parsing Halfedge_of[] indices. This flaw occurs within the Nef polygon-parsing functionality, where a specially crafted malformed .nef3 file can trigger an out-of-bounds read and type confusion, potentially leading to code execution. The vulnerability is present in CGAL versions up to 5.1.1, as reported by Cisco Talos [1].
Exploitation
An attacker can exploit this vulnerability by providing a maliciously crafted Nef polygon file (e.g., .nef3) to an application that uses the CGAL library to parse such files. No authentication or special network position is required if the application processes untrusted input. The attacker must craft the file to cause an out-of-bounds read in the read_vertex() function, leading to a type confusion condition.
Impact
Successful exploitation could allow an attacker to execute arbitrary code in the context of the process using CGAL. This can result in full compromise of confidentiality, integrity, and availability. The CVSSv3 score for similar issues is 10.0 (Critical) [1].
Mitigation
The vulnerability is addressed in CGAL version 5.4.1 and later [2]. Users should upgrade to this version or later. No known workaround exists for unpatched versions. The Gentoo security advisory (GLSA 202305-34) recommends upgrading to >=sci-mathematics/cgal-5.4.1 [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CGAL Project/libcgalv5Range: CGAL-5.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202305-34mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00011.htmlmitremailing-list
- talosintelligence.com/vulnerability_reports/TALOS-2020-1225mitre
News mentions
0No linked articles in our index yet.