VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Apr 23, 2025

CVE-2020-28624

CVE-2020-28624

Description

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_facet() fh->boundary_entry_objects SEdge_of.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in CGAL libcgal 5.1.1 Nef polygon parsing enables arbitrary code execution via crafted malformed files.

Vulnerability

An out-of-bounds read vulnerability exists in the Nef_S2/SNC_io_parser.h function SNC_io_parser::read_facet() within CGAL libcgal version 5.1.1 [1]. This occurs during parsing of malformed Nef polygon files (e.g., .nef3), leading to type confusion and potential code execution [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted malformed Nef polygon file to a CGAL-based application that parses such files [1]. The attack requires no authentication and can be performed over a network (CVSS 10.0) [1]. The malicious input triggers an out-of-bounds read, followed by type confusion, ultimately allowing code execution [1].

Impact

Successful exploitation results in arbitrary code execution with high impact on confidentiality, integrity, and availability [1]. The attacker gains code execution in the context of the process using the CGAL library, potentially leading to full system compromise [1][2].

Mitigation

The vulnerability is fixed in CGAL version 5.4.1 or later [2]. Users should upgrade to the latest version. No workaround is known [2].

References
  1. TALOS-2020-1225 || Cisco Talos Intelligence Group
  2. Multiple Vulnerabilities (GLSA 202305-34) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • CGAL/libcgalllm-fuzzy
    Range: = 5.1.1
  • CGAL Project/libcgalv5
    Range: CGAL-5.1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.