CVE-2020-6156
Description
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file in an instance USDC file format path element token index.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap overflow in Pixar OpenUSD 20.05 can be triggered by opening a malformed .usdc file, allowing potential remote code execution.
Vulnerability
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when parsing compressed sections in binary USD files (USDC format). The flaw resides in the handling of the FIELDS, FIELDSETS, PATHS, and SPECS sections within files that have format version 4 or higher, where compressed content is decompressed without proper bounds checking. An attacker can craft a malicious USD file that triggers a heap-based buffer overflow (CWE-122) upon decompression. OpenUSD 20.05 and possibly earlier versions are affected; the issue was confirmed on Apple macOS Catalina 10.15.3.[1]
Exploitation
To exploit this vulnerability, an attacker must convince a victim to open a specially crafted malicious USD binary file. No authentication or special network position is required beyond delivering the file to the victim. The attacker supplies a malformed .usdc file that includes a compressed section with manipulated index or size values. When OpenUSD parses the file, the decompression routine writes beyond the allocated heap buffer due to an insufficient length check. On macOS and iOS, such files can automatically trigger thumbnail generation or be shared via iMessage, requiring only user interaction to open the file. The vulnerability does not require additional privileges or race conditions.[1]
Impact
Successful exploitation of the heap overflow can lead to remote code execution in the context of the application using OpenUSD. The CVSSv3 score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability. An attacker could potentially execute arbitrary code, control the vulnerable process, and access or modify data. This is especially impactful on Apple platforms where USD integration with SceneKit, ARKit, and ModelIO enables broad exposure.[1]
Mitigation
Pixar has not publicly released a patch for OpenUSD 20.05 as of the publication date of this CVE. Users should monitor the OpenUSD project for updates (https://openusd.org) and apply any security patches that become available. In the absence of a fix, avoid opening untrusted USD binary files, especially from untrusted sources. Disabling automatic thumbnail rendering on macOS for USD files may reduce exposure. The vulnerability is listed as CVE-2020-6156, related to CVE-2020-6147, CVE-2020-6148, CVE-2020-6149, CVE-2020-13493, and CVE-2020-6150, which all stem from similar issues in the same codebase.[1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Pixar/OpenUSDdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2020-1094mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.