CVE-2020-6149

Vulnerability

A heap overflow vulnerability exists in Pixar OpenUSD version 20.05 when parsing compressed sections in binary USD files. Specifically, the issue resides in the decompression logic for the PATHS section of USDC files [1]. The vulnerability is a heap-based buffer overflow (CWE-122) that occurs when the software processes malformed compressed data in that section [1].

Exploitation

To exploit this vulnerability, an attacker must craft a malicious USD file containing a compressed PATHS section with specially crafted data that triggers the heap overflow upon decompression [1]. The victim must open this file in an application using Pixar OpenUSD 20.05, such as a 3D rendering tool or an iOS/macOS application that processes USD files via ModelIO (e.g., ARKit, SceneKit) [1]. No authentication or special privileges are required; user interaction is limited to opening the file [1].

Impact

Successful exploitation can lead to remote code execution (RCE) in the context of the targeted application [1]. The CVSSv3 score is 8.8, indicating high impact on confidentiality, integrity, and availability, with a network attack vector and low attack complexity [1]. The attacker gains the ability to execute arbitrary code, potentially leading to full compromise of the affected system [1].

Mitigation

As of the publication of this CVE (November 13, 2020), no patch was available from Pixar [1]. Users are advised to avoid opening untrusted USD files from unverified sources [1]. The affected version is OpenUSD 20.05; upgrading to a later version with a fix, once released, is recommended [1]. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.