CVE-2020-35632

Vulnerability

The vulnerability resides in the Nef_S2/SNC_io_parser.h file of the CGAL library, specifically in the SNC_io_parser::read_sface() function, where the sfh->boundary_entry_objects Edge_of is used without validating its index [1]. This out-of-bounds read can lead to type confusion, allowing an attacker to trigger memory corruption. The flaw is present in CGAL-5.1.1 and affects all uses of the Nef polygon-parsing functionality for 3‑dimensional operations (Nef_3) [1].

Exploitation

An attacker must craft a malformed .nef3 file and supply it to a program that uses CGAL’s Nef polygon parser [1]. The attack requires no authentication or user interaction because parsing is triggered when the file is loaded over a network or from local input. The out-of-bounds read occurs during the processing of a specially crafted boundary_entry_objects Edge_of entry [1].

Impact

Successful exploitation results in type confusion, out-of-bounds memory access, and potentially arbitrary code execution in the context of the process using the library [1]. Given the network attack vector and the lack of required privileges, an attacker could achieve full compromise of confidentiality, integrity, and availability (CVSSv3 score 10.0) [1].

Mitigation

The CGAL project released version 5.4.1 on 2022‑09‑14, which includes fixes for these vulnerabilities [2]. All users of CGAL should upgrade to version 5.4.1 or later [2]. Gentoo provides the updated package via emerge --ask --oneshot --verbose "sci-mathematics/cgal-5.4.1" [2]. No workarounds are known; the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.