CVE-2020-28619
Description
Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->twin().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read vulnerability in CGAL's Nef polygon parsing can lead to code execution via specially crafted files.
Vulnerability
An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal version 5.1.1. Specifically, the function SNC_io_parser::read_edge() in Nef_S2/SNC_io_parser.h improperly validates array indices when handling eh->twin(), leading to an out-of-bounds read and type confusion. This issue is classified as CWE-129 (Improper Validation of Array Index) [1]. Multiple similar CVEs were addressed for related parsing flaws [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted malformed .nef3 file to an application that uses the CGAL library. No authentication or user interaction is required beyond opening the malicious file. The vulnerability is triggered during parsing of the Nef polygon data, where the out-of-bounds read can lead to type confusion and subsequent memory corruption, enabling code execution [1].
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the process using CGAL. The CVSS v3 score is 10.0, indicating critical severity with full impact on confidentiality, integrity, and availability [1][2].
Mitigation
The vulnerability is fixed in CGAL version 5.4.1 and later [2]. Users should upgrade to the latest version. There is no known workaround, and the Gentoo security advisory recommends updating to >=sci-mathematics/cgal-5.4.1 [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CGAL Project/libcgalv5Range: CGAL-5.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202305-34mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00011.htmlmitremailing-list
- talosintelligence.com/vulnerability_reports/TALOS-2020-1225mitre
News mentions
0No linked articles in our index yet.