CVE-2020-35634

Vulnerability

An out-of-bounds read vulnerability exists in the Nef_S2/SNC_io_parser.h file of CGAL libcgal, specifically in the SNC_io_parser::read_sface() function when processing sfh->boundary_entry_objects Sloop_of entries. The bug occurs due to improper validation of array indices (CWE-129) [1]. Internally, the code parses a specially crafted malformed .nef3 file and reads beyond allocated memory, leading to type confusion. The vulnerability affects CGAL-5.1.1 and likely earlier versions [1]. It is one of multiple similar issues in the Nef polygon-parsing functionality [1].

Exploitation

An attacker only needs to supply a maliciously crafted .nef3 file (or similar Nef polygon input) to a target application that uses CGAL's Nef parsing routines. No authentication or special network position is required, as the parsing is typically done on user-provided files. The attacker crafts the file to trigger an out-of-bounds read during the read_sface operation, causing type confusion in the object that is subsequently used in the program's execution flow [1].

Impact

Successful exploitation can lead to arbitrary code execution with the privileges of the process using CGAL. The out-of-bounds read and resulting type confusion allow the attacker to overwrite or hijack internal data structures, leading to full compromise of the application (confidentiality, integrity, availability) [1]. The CVSSv3 score is 10.0 with network attack vector and no privileges required, indicating critical impact [1].

Mitigation

The CGAL project has addressed this and related issues in versions after 5.1.1. The Gentoo security advisory recommends upgrading to >=sci-mathematics/cgal-5.4.1 for the Gentoo distribution [2]. For other environments, users should update to a CGAL release that includes the fix (e.g., CGAL-5.4.1 or later) [2]. No known workaround exists other than upgrading [2].