CVE-2020-28608
Description
Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_face() store_fc().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple code execution vulnerabilities in CGAL-5.1.1 Nef polygon parsing via malformed file due to out-of-bounds read and type confusion.
Vulnerability
In CGAL version 5.1.1, multiple code execution vulnerabilities exist in the Nef polygon-parsing functionality. Specifically, an out-of-bounds read vulnerability is found in the function PM_io_parser::read_face() in Nef_2/PM_io_parser.h [1]. A specially crafted malformed file can trigger an out-of-bounds read and type confusion, leading to potential code execution. The vulnerability affects the Nef_2, Nef_3, and Nef_S2 parsing code [1].
Exploitation
An attacker with network access can provide a maliciously crafted .nef3 file (or other Nef format) to the application using CGAL. No authentication is required as the parsing occurs during file loading. By supplying a malformed file that triggers the out-of-bounds read and type confusion, the attacker can execute arbitrary code. The Talos advisory indicates a CVSSv3 score of 10.0, suggesting ease of exploitation [1].
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the application using CGAL. This leads to complete compromise of confidentiality, integrity, and availability (C:I:A). The attacker could potentially take full control of the affected system.
Mitigation
The Gentoo security advisory (GLSA 202305-34) recommends upgrading to CGAL version 5.4.1 or later [2]. No known workaround exists [2]. Users should update their CGAL installations to the latest patched version to mitigate these vulnerabilities.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CGAL Project/libcgalv5Range: CGAL-5.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202305-34mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00011.htmlmitremailing-list
- talosintelligence.com/vulnerability_reports/TALOS-2020-1225mitre
News mentions
0No linked articles in our index yet.