VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Apr 23, 2025

CVE-2020-28614

CVE-2020-28614

Description

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->shalfedges_begin().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in CGAL's Nef polygon parser allows code execution via malformed file, affecting CGAL-5.1.1.

Vulnerability

In CGAL libcgal version 5.1.1, the Nef polygon-parsing functionality contains an out-of-bounds read vulnerability in Nef_S2/SNC_io_parser.h within SNC_io_parser::read_vertex(), specifically when accessing vh->shalfedges_begin(). This flaw can lead to type confusion and code execution. The issue is part of a larger set of vulnerabilities in the Nef parsing code [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted malformed .nef3 file to the CGAL library. No authentication or user interaction is required, and the attack can be launched remotely over a network [1]. The malformed input triggers the out-of-bounds read during parsing.

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution with the privileges of the process using CGAL. The impact is high on confidentiality, integrity, and availability, with a CVSS score of 10.0 under CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H [1].

Mitigation

The vulnerability is fixed in CGAL version 5.4.1 and later. Users should upgrade to at least this version. No workaround is currently available [2].

References
  1. TALOS-2020-1225 || Cisco Talos Intelligence Group
  2. Multiple Vulnerabilities (GLSA 202305-34) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • CGAL/CGALllm-fuzzy
    Range: =5.1.1
  • CGAL Project/libcgalv5
    Range: CGAL-5.1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.