CVE-2020-6147

Vulnerability

A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when parsing compressed sections in binary USD files. The bug occurs in the FIELDS section decompression handler within crateFile.cpp. When a USD file with format version 4 or higher is opened, sections may be compressed. The code does not properly validate decompressed data bounds, leading to a heap-based buffer overflow (CWE-122). Affected versions include OpenUSD 20.05 and likely earlier builds, as tested on macOS Catalina 10.15.3 [1].

Exploitation

An attacker can craft a malformed USD binary file containing a compressed FIELDS section with specially sized or crafted data that causes an out-of-bounds write during decompression. The victim must open the file, e.g., via macOS thumbnail generation (automatic), iMessage on iOS (with user interaction), or any application using OpenUSD. No authentication or network position is required; the attack vector is local file opening or remote delivery of the malicious file. The overflow occurs during the parsing phase triggered by the standard USD loader [1].

Impact

Successful exploitation yields heap corruption, which can be leveraged to achieve arbitrary code execution in the context of the application using OpenUSD. This compromises confidentiality, integrity, and availability (CIA). The CVSSv3 score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) [1].

Mitigation

As of the publication date, no official patch from Pixar was available. Users should restrict opening untrusted USD files and monitor vendor updates. The vulnerability is not listed on CISA KEV. If possible, disable automatic thumbnail generation for USD files on macOS or avoid using affected versions until a fix is released [1].