CVE-2020-28632
Description
Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() seh->incident_sface().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple code execution vulnerabilities in CGAL libcgal 5.1.1 Nef polygon parsing, triggered by malformed files via out-of-bounds read and type confusion.
Vulnerability
Multiple code execution vulnerabilities exist in the Nef polygon-parsing functionality of CGAL libcgal version 5.1.1 [1]. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, specifically in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sedge() when handling seh->incident_sface() [1]. The affected code is reachable when parsing .nef3 files [1].
Exploitation
An attacker can provide a malicious input file to trigger any of these vulnerabilities [1]. No authentication or special privileges are required, as the parsing occurs with user-controlled input [1]. The out-of-bounds read and type confusion occur during the parsing process, allowing the attacker to corrupt memory [1].
Impact
Successful exploitation leads to arbitrary code execution due to the out-of-bounds read and type confusion [1]. The attacker can achieve full control over the affected application, compromising confidentiality, integrity, and availability [1]. The CVSS score is 10.0, indicating critical severity with network exploitation, no privileges required, and no user interaction needed [1].
Mitigation
As of the available references, there is no known workaround [2]. The Gentoo security advisory recommends upgrading to CGAL version 5.4.1 or later, which contains fixes for these vulnerabilities [2]. Users should update to the latest version as soon as possible.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CGAL Project/libcgalv5Range: CGAL-5.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- security.gentoo.org/glsa/202305-34mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00011.htmlmitremailing-list
- talosintelligence.com/vulnerability_reports/TALOS-2020-1225mitre
News mentions
0No linked articles in our index yet.