VYPR
← All advisories
Low severity3.3NVD Advisory· Published May 31, 2026

CVE-2026-10197

CVE-2026-10197

Description

A null pointer dereference in Assimp's glTF2Importer::ImportEmbeddedTextures allows local attackers to crash the application via a crafted glTF file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null pointer dereference in Assimp's glTF2Importer::ImportEmbeddedTextures allows local attackers to crash the application via a crafted glTF file.

Vulnerability

A null pointer dereference vulnerability exists in the glTF2Importer::ImportEmbeddedTextures function within code/AssetLib/glTF2/glTF2Importer.cpp of the Assimp library up to version 6.0.4 [1]. The bug occurs when processing a crafted glTF file whose mimeType string lacks a '/' character. The code uses strchr to locate the slash and then performs pointer arithmetic (+1) on the result without checking for NULL. When the slash is absent, strchr returns NULL, and adding 1 yields an invalid pointer (0x1), which is subsequently dereferenced, causing a crash [1].

Exploitation

An attacker with local access can exploit this vulnerability by providing a specially crafted glTF file that contains a malformed mimeType value (e.g., missing the '/' delimiter) [1]. No authentication or special privileges are required beyond the ability to load the file into an application using the vulnerable Assimp version. The attack is triggered when the library processes the embedded textures of the glTF asset, leading to the null pointer dereference [1].

Impact

Successful exploitation results in a null pointer dereference, causing the application to crash (denial of service). The CVSS v3 score is 3.3 (Low), reflecting the local attack vector and limited impact (availability only). No evidence of code execution or data exfiltration is present in the available references [1].

Mitigation

A fix has been proposed in pull request #6645, which adds a null check for the slash pointer before deriving the extension [3]. As of the publication date, the fix has not been merged into a stable release. Users are advised to apply the patch manually or avoid processing untrusted glTF files until an official update is available [1][3].

References
  1. Bug: [glTF] NULL pointer dereference in ImportEmbeddedTextures when mimeType lacks '/'
  2. Fix glTF2 ImportEmbeddedTextures NULL deref when mimeType lacks '/' by SAY-5 · Pull Request #6645 · assimp/assimp

AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
be52ebbbc5f4

Merge 0951a52207c53101ddcf0f533b0f9ce5851f6579 into be3d938e3e22d364b38807a247b3593fa7b260bd

https://github.com/assimp/assimpSai Asish YMay 31, 2026via nvd-ref
commitPR #6645
1 file changed · +3 2
  • code/AssetLib/glTF2/glTF2Importer.cpp+3 2 modified
    @@ -1734,8 +1734,9 @@ void glTF2Importer::ImportEmbeddedTextures(glTF2::Asset &r) {
         tex->pcData = reinterpret_cast<aiTexel *>(data);
 
         if (!img.mimeType.empty()) {
-            const char *ext = strchr(img.mimeType.c_str(), '/') + 1;
-            if (ext) {
+            const char *slash = strchr(img.mimeType.c_str(), '/');
+            if (slash != nullptr) {
+                const char *ext = slash + 1;
                 if (strncmp(ext, "jpeg", 4) == 0) {
                     ext = "jpg";
                 } else if (strcmp(ext, "ktx2") == 0) { // basisu: ktx remains

Vulnerability mechanics

Root cause

"Missing null check on the return value of strchr before performing pointer arithmetic in glTF2Importer::ImportEmbeddedTextures."

Attack vector

An attacker provides a crafted glTF file containing a texture with a malformed `mimeType` value that does not include a '/' character [ref_id=1]. When Assimp processes this file, `strchr` returns NULL, and the subsequent `+1` arithmetic produces an invalid pointer (0x1) that is dereferenced, causing a crash [ref_id=1]. The attack requires local access to load the malicious file [CVE description].

Affected code

The vulnerability resides in `glTF2Importer::ImportEmbeddedTextures` in `code/AssetLib/glTF2/glTF2Importer.cpp` [ref_id=1]. The function performs pointer arithmetic on the result of `strchr` without a null check, leading to a null pointer dereference when the `mimeType` string lacks a '/' character [patch_id=4017826].

What the fix does

The patch stores the result of `strchr` in a local pointer `slash` and checks it for `nullptr` before computing `ext = slash + 1` [patch_id=4017826]. This prevents the null pointer dereference that occurred when `mimeType` lacked a '/' character [ref_id=3]. The change is minimal and scoped only to the vulnerable code path.

Preconditions

  • inputThe attacker must be able to supply a crafted glTF file with a malformed mimeType field in an embedded texture.
  • networkThe attack requires local access to the system to load the file into Assimp.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.