MaterialX's unchecked nodeGraph->getOutput return is vulnerable to NULL Pointer Dereference
Description
MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MaterialX 1.39.2 crashes via null pointer dereference in getShaderNodes when parsing a crafted MTLX file.
Vulnerability
Details
In MaterialX 1.39.2, the getShaderNodes function in src/MaterialXCore/Material.cpp contains a null pointer dereference vulnerability. When parsing a nodegraph input node that has an explicit output string via input->hasOutputString(), the code calls nodeGraph->getOutput(input->getOutputString()) without checking if the returned pointer is null. If the specified output does not exist, the function returns a null pointer, which is then dereferenced when output->getConnectedNode() is called, leading to a crash [3][4].
Attack
Vector
The vulnerability can be triggered by supplying a specially crafted MTLX file where a nodegraph input references a non-existent output name. An attacker can send such a malicious MTLX file to any application that parses shader nodes using MaterialXCore, such as the MaterialX Viewer. No authentication is required; the attacker only needs to convince the target to process the file [1][3].
Impact
Successful exploitation causes a denial of service (DoS) by crashing the target program. The attacker does not gain code execution or data access, but the instability can disrupt workflows in content creation pipelines that depend on MaterialX [3].
Mitigation
The issue is fixed in MaterialX version 1.39.3 [1]. Users should upgrade to this or a later version. As of the publication date, there is no evidence that this CVE is listed in CISA’s Known Exploited Vulnerabilities catalog.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
MaterialXPyPI | >= 1.39.2, < 1.39.3 | 1.39.3 |
Affected products
2- AcademySoftwareFoundation/MaterialXv5Range: >= 1.39.2, < 1.39.3
Patches
1e13344ba1332Add null check in getShaderNodes (#2228)
1 file changed · +5 −1
source/MaterialXCore/Material.cpp+5 −1 modified@@ -50,7 +50,11 @@ vector<NodePtr> getShaderNodes(NodePtr materialNode, const string& nodeType, con vector<OutputPtr> outputs; if (input->hasOutputString()) { - outputs.push_back(nodeGraph->getOutput(input->getOutputString())); + OutputPtr connectedOutput = nodeGraph->getOutput(input->getOutputString()); + if (connectedOutput) + { + outputs.push_back(connectedOutput); + } } else {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3jhf-gxhr-q4cxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53010ghsaADVISORY
- github.com/AcademySoftwareFoundation/MaterialX/commit/e13344ba13326869d7820b444705f24d56fab73dghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-3jhf-gxhr-q4cxghsax_refsource_CONFIRMWEB
- github.com/ShielderSec/poc/tree/main/CVE-2025-53010ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.