MaterialX's Lack of Import Depth Limit Leads to DoS (Denial-Of-Service) Via Stack Exhaustion
Description
MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" depth. When parsing file imports, recursion is used to process nested files; however, there is no limit imposed to the depth of files that can be parsed by the library. By building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion. This is fixed in version 1.39.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MaterialX before 1.39.3 lacks an import depth limit, allowing crash via stack exhaustion from nested imports.
Vulnerability
MaterialX, an open standard for material exchange, supports importing files via XInclude. In versions prior to 1.39.3, the parser recursively processes nested imports without any depth limit, leading to stack memory exhaustion when a deeply nested chain of files is parsed [2].
Exploitation
An attacker can craft a sequence of MaterialX files that reference one another in a deep chain. If a victim parses a malicious .mtlx file (e.g., via MaterialXView), the recursion can exhaust the stack, crashing the application. On Windows, an attacker could host the chain on a network share to trigger the vulnerability [2].
Impact
Successful exploitation causes a denial-of-service (DoS) via process crash. No authentication or special privileges are required, as the vulnerability is triggered during parsing [3].
Mitigation
The issue is fixed in MaterialX 1.39.3 by introducing MAX_XINCLUDE_DEPTH and MAX_XML_TREE_DEPTH constants (both set to 256) to limit recursion depth [4]. Users should upgrade to version 1.39.3 or later.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
MaterialXPyPI | >= 1.39.2, < 1.39.3 | 1.39.3 |
Affected products
2- AcademySoftwareFoundation/MaterialXv5Range: >= 1.39.2, < 1.39.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-qc2h-74x3-4v3wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53012ghsaADVISORY
- github.com/AcademySoftwareFoundation/MaterialX/blob/main/documents/Specification/MaterialX.Specification.mdghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/MaterialX/pull/2233/commits/6182c07467297416a30d148ab531d81198686dc5ghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3ghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-qc2h-74x3-4v3wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.