CVE-2020-28626

Vulnerability

CGAL versions prior to 5.4.1 contain multiple code execution vulnerabilities in the Nef polygon-parsing functionality, specifically in the SNC_io_parser::read_facet() function within Nef_S2/SNC_io_parser.h. A malformed .nef3 file can trigger an out-of-bounds read and type confusion due to improper validation of array indices (CWE-129) [1][2]. The vulnerability is present in the CGAL-5.1.1 release and affects all versions before 5.4.1.

Exploitation

An attacker can provide a specially crafted malformed file (e.g., .nef3) to any application using CGAL to parse Nef polygons. No authentication or user interaction is required beyond opening the file. The attacker must craft data that induces an out-of-bounds read in fh->incident_volume() [1]. This can be done remotely if the application loads user-supplied files over a network.

Impact

Successful exploitation can lead to arbitrary code execution in the context of the process using CGAL. The CVSSv3 score is 10.0 (Critical) with network attack vector, low complexity, no privileges required, and no user interaction [1]. The impact includes full compromise of confidentiality, integrity, and availability.

Mitigation

The fix is available in CGAL version 5.4.1, released June 2022 [2]. All users should upgrade to CGAL 5.4.1 or later. Gentoo users can run emerge --oneshot --verbose ">=sci-mathematics/cgal-5.4.1" [2]. There is no known workaround; upgrading is the only mitigation.