CVE-2020-35631

Vulnerability

An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal, specifically in the SNC_io_parser::read_sface() function within Nef_S2/SNC_io_parser.h. The flaw occurs when parsing a specially crafted malformed .nef3 file, leading to an out-of-bounds read and type confusion. This vulnerability affects CGAL version 5.1.1 and is part of a larger set of code execution issues in the Nef polygon parsing code [1].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted .nef3 file to an application that uses the CGAL library to parse Nef polygons. No authentication or special network position is required; the attacker only needs to deliver the file (e.g., via a web upload or file sharing). The parsing process triggers an out-of-bounds read in read_sface(), which can then lead to type confusion and ultimately arbitrary code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the application using CGAL. This can lead to full compromise of the affected system, including data disclosure, modification, or denial of service. The CVSSv3 score is 10.0, indicating critical severity with network attack vector, low complexity, and no privileges required [1].

Mitigation

The vulnerability is fixed in CGAL version 5.4.1, as recommended by the Gentoo security advisory (GLSA 202305-34) [2]. Users should upgrade to CGAL 5.4.1 or later. No known workaround exists for earlier versions. The affected version 5.1.1 is no longer supported, so upgrading is essential [2].