CVE-2020-28634

Vulnerability

Multiple code execution vulnerabilities exist in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. Specifically, an out-of-bounds (OOB) read vulnerability lies in Nef_S2/SNC_io_parser.h in the SNC_io_parser::read_sedge() function, where seh->next() is accessed without proper bounds checking. This OOB read can lead to type confusion. The vulnerability affects versions up to and including CGAL-5.1.1, and the code is reachable when parsing .nef3 files (and similar Nef polygon formats) via the CGAL library [1].

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted malformed .nef3 file (or other Nef polygon input) to an application that uses the CGAL library. No authentication or prior access is required; the attacker only needs to trigger the parsing function. The lack of proper validation of array indices leads to an OOB read, which in turn causes type confusion during the parsing process [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the application using the CGAL library. The CVSS score of 10.0 indicates complete compromise of confidentiality, integrity, and availability, with an attack vector over the network, low complexity, and no privileges or user interaction required [1].

Mitigation

The issue has been fixed in CGAL version 5.4.1, as per the Gentoo security advisory [2]. Users of CGAL should upgrade to version 5.4.1 or later. No workaround is available. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.