VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Apr 23, 2025

CVE-2020-28604

CVE-2020-28604

Description

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_next().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read and type confusion in CGAL's Nef polygon parsing (version 5.1.1) can lead to code execution via a crafted file.

Vulnerability

An out-of-bounds (OOB) read and type confusion vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. Specifically, in Nef_2/PM_io_parser.h, the PM_io_parser::read_hedge() function fails to properly validate array indices, allowing an attacker to trigger an OOB read when processing a specially crafted malformed .nef3 file. [1]

Exploitation

An attacker can exploit this vulnerability by providing a malicious .nef3 file to an application using the CGAL library. No authentication or user interaction is required beyond opening the file; the attacker can deliver the file via network or other means. The parsing of the malformed input triggers the OOB read, leading to type confusion and potential code execution. [1]

Impact

Successful exploitation allows arbitrary code execution in the context of the application using CGAL. The CVSSv3 score is 10.0 (Critical), with high impact on confidentiality, integrity, and availability. [1]

Mitigation

CGAL has released a fix in version 5.4.1 [2]. Users should upgrade to CGAL-5.4.1 or later. There is no known workaround for this vulnerability. [1][2]

References
  1. TALOS-2020-1225 || Cisco Talos Intelligence Group
  2. Multiple Vulnerabilities (GLSA 202305-34) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • CGAL/CGALllm-fuzzy
    Range: = 5.1.1
  • CGAL Project/libcgalv5
    Range: CGAL-5.1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.