Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Apr 23, 2025

CVE-2020-28609

Description

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_face() store_iv().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds read vulnerability in CGAL's Nef polygon parser allows code execution via a crafted file.

Vulnerability

An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal, specifically in the PM_io_parser::read_face() function's store_iv() call within Nef_2/PM_io_parser.h. This occurs when parsing a specially crafted malformed Nef polygon file. The issue affects CGAL version 5.1.1 [1].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted Nef polygon file (e.g., .nef3 format) to an application using the CGAL library for parsing. No authentication or user interaction is required, and the attack can be launched over a network. The malformed input triggers an out-of-bounds read, leading to type confusion and potential code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the process using the CGAL library. This can result in complete compromise of confidentiality, integrity, and availability of the system [1].

Mitigation

As of the available references, a fix has not been explicitly disclosed. It is recommended to update to a version of CGAL that includes a patch for this vulnerability when one becomes available. No workaround is mentioned in the advisory [1].

References

TALOS-2020-1225 || Cisco Talos Intelligence Group

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

CGAL/libcgalllm-fuzzy
Range: =5.1.1
CGAL Project/libcgalv5
Range: CGAL-5.1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.debian.org/debian-lts-announce/2022/12/msg00011.htmlmitremailing-list
talosintelligence.com/vulnerability_reports/TALOS-2020-1225mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000