CVE-2020-28613
Description
Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->svertices_last().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in CGAL's Nef polygon parsing can lead to code execution via a crafted malformed file.
Vulnerability
An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal version CGAL-5.1.1. Specifically, in the SNC_io_parser::read_vertex() function within Nef_S2/SNC_io_parser.h, the code fails to properly validate an array index when accessing vh->svertices_last(), leading to an out-of-bounds read and type confusion. This is one of multiple code execution vulnerabilities in the Nef polygon parsing code [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted malformed .nef3 file to an application that uses the CGAL library to parse Nef polygons. No authentication or special network position is required; the attacker only needs to deliver the malicious file to the target system. When the file is parsed, the out-of-bounds read triggers type confusion, which can be leveraged to achieve code execution [1].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the process using the CGAL library. The CVSSv3 score is 10.0 (Critical), indicating full compromise of confidentiality, integrity, and availability [1].
Mitigation
The vulnerability is fixed in CGAL version 5.4.1 and later. Users should upgrade to at least this version. The Gentoo security advisory (GLSA 202305-34) recommends upgrading to >=sci-mathematics/cgal-5.4.1 [2]. No known workaround exists for earlier versions.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CGAL Project/libcgalv5Range: CGAL-5.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202305-34mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00011.htmlmitremailing-list
- talosintelligence.com/vulnerability_reports/TALOS-2020-1225mitre
News mentions
0No linked articles in our index yet.