CVE-2020-28605
Description
Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read exists in Nef_2/PM_io_parser.h PM_io_parser::read_hedge() e->set_vertex().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in the Nef polygon parser of CGAL 5.1.1 allows remote attackers to execute arbitrary code via a crafted .nef3 file.
Vulnerability
An out-of-bounds read vulnerability exists in the Nef_2/PM_io_parser.h function PM_io_parser::read_hedge() within CGAL versions prior to 5.4.1 [1][2]. The flaw is triggered when parsing a specially crafted malformed .nef3 file, leading to an invalid array index and type confusion. The affected code path resides in the Nef polygon-parsing functionality [1].
Exploitation
An attacker can exploit this vulnerability by supplying a malicious .nef3 (or .nef2 or .nefs2) file to a target application that uses the CGAL library to parse such files. No authentication or user interaction beyond opening the file is required [1]. The out-of-bounds read occurs during the set_vertex call within the vertex record parsing logic, allowing the attacker to control the read offset and potentially corrupt memory [1].
Impact
Successful exploitation can lead to arbitrary code execution in the context of the application using CGAL. The CVSS contains (10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates full compromise of confidentiality, integrity, and availability [1]. An attacker could achieve remote code execution without any prior privileges.
Mitigation
The CGAL project has fixed this vulnerability in versions 5.4.1 and later [2]. Users should upgrade to CGAL 5.4.1 or newer. As a general precaution, avoid processing untrusted .nef3 files with unpatched versions. No other workaround is known [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CGAL Project/libcgalv5Range: CGAL-5.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202305-34mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00011.htmlmitremailing-list
- talosintelligence.com/vulnerability_reports/TALOS-2020-1225mitre
News mentions
0No linked articles in our index yet.