VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 18, 2022· Updated Apr 23, 2025

CVE-2020-35629

CVE-2020-35629

Description

Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->facet().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read and type confusion in CGAL's Nef polygon parser can lead to code execution via a crafted file.

Vulnerability

An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal version 5.1.1, specifically in Nef_S2/SNC_io_parser.h within the SNC_io_parser::read_sloop() function when accessing slh->facet(). The flaw occurs due to improper validation of array indices, which can be triggered when parsing a specially crafted malformed .nef3 file [1].

Exploitation

An attacker can exploit this vulnerability by providing a malicious input file to any application that uses the CGAL library version 5.1.1 to parse Nef polygons. No authentication or user interaction beyond opening the file is required, and the attack vector is network-based [1].

Impact

Successful exploitation leads to arbitrary code execution in the context of the process using the library. The impact includes complete compromise of confidentiality, integrity, and availability, with a CVSSv3 score of 10.0 [1].

Mitigation

A fix is available in CGAL version 5.4.1. Gentoo users can upgrade by running emerge --sync and then emerge --ask --oneshot --verbose \">=sci-mathematics/cgal-5.4.1" [2]. No workaround is known [2].

References
  1. TALOS-2020-1225 || Cisco Talos Intelligence Group
  2. Multiple Vulnerabilities (GLSA 202305-34) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • CGAL/CGALllm-fuzzy
    Range: 5.1.1
  • CGAL Project/libcgalv5
    Range: CGAL-5.1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.