CVE-2022-0497
Description
A vulnerbiility was found in Openscad, where a .scad file with no trailing newline could cause an out-of-bounds read during parsing of annotations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSCAD 2021.01 (commit 374fa58) is vulnerable to an out-of-bounds read in its comment parser when processing a .scad file without a trailing newline.
Vulnerability
An out-of-bounds read vulnerability exists in OpenSCAD's comment parser, specifically in the getComment() function at src/comment.cc:95. When a .scad file lacks a trailing newline, the parser's loop searches for a \n character without checking whether it has reached the end of the string, leading to a read beyond the allocated buffer. Affected versions include OpenSCAD at commit 374fa58 (pre-2021.01 release) [1][2].
Exploitation
An attacker can trigger the out-of-bounds read by supplying a specially crafted .scad file that ends without a newline character. No special privileges or authentication are required; the victim only needs to open the file with OpenSCAD (e.g., via command-line export). The crash occurs during annotation parsing, as shown by the segmentation fault reported with UBSan [2].
Impact
This is a read-only out-of-bounds access. While it does not directly enable code execution or data corruption, it can be used to bypass security mechanisms such as stack canaries and pointer encryption by leaking memory content [2]. The vulnerability leads to a denial-of-service condition (segmentation fault) and may aid in further exploitation when combined with other bugs [3].
Mitigation
The issue was fixed in OpenSCAD pull request #4044, which adds a bounds check to the comment parser [1]. Users should update to a version containing that fix (e.g., commits after 374fa58). No workaround exists for unpatched versions; users can avoid opening untrusted .scad files. The CVE is marked as low severity [3] and is not listed on CISA's Known Exploited Vulnerabilities (KEV).
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Openscad/Openscaddescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in the comment parser loop allows an out-of-bounds read when a file lacks a trailing newline."
Attack vector
An attacker provides a specially crafted `.scad` file that lacks a trailing newline character. When OpenSCAD parses annotations in this file, the `getComment()` function at `comment.cc:95` reads past the end of the string buffer because the loop only searches for `\n` without checking the string's length [ref_id=1]. This results in an out-of-bounds read, which can cause a segmentation fault. While the read does not allow writing, it can be used to bypass security features such as stack canaries and pointer encryption [ref_id=1].
Affected code
The vulnerability is in `src/comment.cc` at line 95, in the `getComment()` function. The loop that seeks through the `fulltext` string only checks for a newline character (`\n`) but does not check whether it has reached the end of the string. This allows an out-of-bounds read when a `.scad` file has no trailing newline [ref_id=1].
What the fix does
The proposed mitigation is to also check against `fulltext.size()` in the loop at `comment.cc:95`, ensuring the read position never exceeds the length of the file [ref_id=1]. No patch commit is included in the bundle, so the fix has not been published in the provided materials. The advisory recommends adding a bounds check to prevent the loop from reading past the end of the string when no trailing newline is present.
Preconditions
- inputThe attacker must supply a .scad file that has no trailing newline character.
- configThe victim must open or process the malicious .scad file with a vulnerable version of OpenSCAD (commit 374fa58).
Reproduction
1. Obtain a `.scad` file with no trailing newline (the PoC file referenced in the advisory). 2. Run `openscad --export-format stl -o /dev/null oobr_comment.scad`. 3. Observe the segmentation fault and the out-of-bounds read reported by UndefinedBehaviorSanitizer at `comment.cc:95` [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- github.com/openscad/openscad/issues/4043mitrex_refsource_MISC
- github.com/openscad/openscad/pull/4044mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.