VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Apr 23, 2025

CVE-2020-28616

CVE-2020-28616

Description

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->sfaces_begin().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds read in CGAL's Nef polygon parser allows remote code execution via a crafted file.

Vulnerability

An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. Specifically, in Nef_S2/SNC_io_parser.h, the function SNC_io_parser::read_vertex() accesses vh->sfaces_begin() without proper bounds checking, leading to an out-of-bounds read and type confusion [1]. This is one of multiple code execution vulnerabilities in the Nef polygon parser, all triggered by specially crafted malformed files [1].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted .nef3 file to an application using CGAL. No authentication or user interaction beyond opening the file is required. The parser processes the malformed input, causing an out-of-bounds read that leads to type confusion, which can be leveraged for code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the process using CGAL. This results in complete compromise of confidentiality, integrity, and availability. The CVSSv3 score is 10.0 (Critical) [1].

Mitigation

The vulnerability is fixed in CGAL version 5.4.1 and later [2]. Users should upgrade to at least this version. No known workaround exists for earlier versions [2].

References
  1. TALOS-2020-1225 || Cisco Talos Intelligence Group
  2. Multiple Vulnerabilities (GLSA 202305-34) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • CGAL/CGALllm-fuzzy
    Range: =5.1.1
  • CGAL Project/libcgalv5
    Range: CGAL-5.1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.