VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Apr 23, 2025

CVE-2020-28612

CVE-2020-28612

Description

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->svertices_begin().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CGAL libcgal-5.1.1 has an out-of-bounds read in Nef polygon parsing leading to code execution via malformed files.

Vulnerability

In CGAL libcgal-5.1.1, the Nef polygon parser (Nef_S2/SNC_io_parser.h) contains an out-of-bounds read in SNC_io_parser::read_vertex() when processing specially crafted malformed .nef3 files. The vulnerability stems from improper validation of array index (CWE-129), leading to an out-of-bounds read and type confusion [1]. This affects Nef_3 and other Nef polygon types within the CGAL library.

Exploitation

An attacker can supply a malicious .nef3 file to an application that uses CGAL to parse Nef polygons. No authentication or user interaction is required beyond opening the file. The parser reads beyond allocated memory, leading to type confusion and potentially allowing an attacker to control program flow [1].

Impact

Successful exploitation can result in arbitrary code execution with the privileges of the process using CGAL, leading to complete compromise of confidentiality, integrity, and availability (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) [1].

Mitigation

A fix for this vulnerability is included in CGAL version 5.4.1 [2]. Users should upgrade to CGAL >=5.4.1. No workaround is available at this time [2].

References
  1. TALOS-2020-1225 || Cisco Talos Intelligence Group
  2. Multiple Vulnerabilities (GLSA 202305-34) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • CGAL/CGALllm-fuzzy
    Range: =5.1.1
  • CGAL Project/libcgalv5
    Range: CGAL-5.1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.