CVE-2020-28621
Description
Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_edge() eh->out_sedge().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in CGAL's Nef polygon parser can lead to code execution via a crafted file.
Vulnerability
An out-of-bounds read vulnerability exists in the SNC_io_parser::read_edge() function within Nef_S2/SNC_io_parser.h of CGAL libcgal version 5.1.1 [1]. The flaw occurs when parsing a specially crafted malformed .nef3 file, leading to an out-of-bounds read and type confusion in the eh->out_sedge() call. This vulnerability is part of a larger set of code execution issues in the Nef polygon-parsing functionality [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious .nef3 file to an application that uses CGAL to parse Nef polygons. No authentication or special network position is required; the attack can be delivered remotely if the application accepts user-supplied files [1]. The attacker crafts a malformed file that triggers the out-of-bounds read during parsing, potentially leading to type confusion [1].
Impact
Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the process using CGAL. The CVSSv3 score is 10.0, indicating a complete compromise of confidentiality, integrity, and availability (CIA) [1]. The attacker gains full control over the affected system.
Mitigation
The vulnerability is fixed in CGAL version 5.4.1 and later [2]. Users should upgrade to this version or newer. There is no known workaround for this issue [2]. The Gentoo security advisory (GLSA 202305-34) recommends upgrading all CGAL installations [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CGAL Project/libcgalv5Range: CGAL-5.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202305-34mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00011.htmlmitremailing-list
- talosintelligence.com/vulnerability_reports/TALOS-2020-1225mitre
News mentions
0No linked articles in our index yet.