VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Apr 23, 2025

CVE-2020-28618

CVE-2020-28618

Description

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->shalfloop().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds read vulnerability in CGAL libcgal's Nef polygon parser (CGAL-5.1.1) allows remote code execution via a specially crafted file.

Vulnerability

An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal, specifically in Nef_S2/SNC_io_parser.h within the SNC_io_parser::read_vertex() function. The issue involves improper validation of array indices (CWE-129) when processing a specially crafted malformed .nef3 file. This vulnerability is present in CGAL-5.1.1 and earlier versions [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted malformed .nef3 file to an application using CGAL's Nef polygon parsing. No authentication or user interaction is required; the attack can be performed remotely over a network. The malformed file triggers an out-of-bounds read during parsing, leading to type confusion [1].

Impact

Successful exploitation can lead to arbitrary code execution in the context of the application using the CGAL library. The vulnerability has a CVSSv3 score of 10.0, indicating a critical impact on confidentiality, integrity, and availability, with no privileges required and a changed scope [1].

Mitigation

The Gentoo security advisory (GLSA 202305-34) recommends upgrading to CGAL version 5.4.1 or later, where the vulnerability is patched. No known workaround is available for unaffected versions [2].

References
  1. TALOS-2020-1225 || Cisco Talos Intelligence Group
  2. Multiple Vulnerabilities (GLSA 202305-34) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • CGAL/libcgalllm-fuzzy
    Range: =5.1.1
  • CGAL Project/libcgalv5
    Range: CGAL-5.1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.