CVE-2026-10199
Description
A null pointer dereference in Assimp's glTF2 importer allows local attackers to crash the application via a crafted glTF file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A null pointer dereference in Assimp's glTF2 importer allows local attackers to crash the application via a crafted glTF file.
Vulnerability
A null pointer dereference vulnerability exists in Assimp up to version 6.0.4 in the function glTF2::LazyDict::operator[] within glTF2Asset.h. The issue occurs when the ImportAnimations function in glTF2Importer.cpp retrieves a node from a LazyDict without checking if the pointer is null. If a malformed glTF 2.0 file contains an animation channel referencing a node index that is not present in the nodes array, the code dereferences a null pointer, leading to a crash [1][3].
Exploitation
An attacker with local access can exploit this vulnerability by providing a specially crafted glTF file that triggers the null pointer dereference. The attack requires no special privileges beyond the ability to load the file using Assimp. A proof-of-concept (PoC) is publicly available, demonstrating the crash via the assimp_fuzzer_gltf tool [1].
Impact
Successful exploitation results in a denial of service (DoS) due to a segmentation fault. The vulnerability does not allow arbitrary code execution or information disclosure. The CVSS v3 score is 3.3 (Low), reflecting the local attack vector and limited impact [1][description].
Mitigation
The issue is fixed in commit d24b85319bd70c65883a2b96613e07e23fb95981, which adds null pointer validation before dereferencing the node. Users should update to a version of Assimp that includes this patch (post-6.0.4). No workarounds are documented [3][4].
- Bug: [glTF] NULL pointer dereference in glTF2::LazyDict::operator[] due to unchecked node access in ImportAnimations
- Fix glTF2 ImportAnimations null deref on invalid target node (#6646) · assimp/assimp@d24b853
- Fix glTF2 ImportAnimations null deref on invalid target node by SAY-5 · Pull Request #6646 · assimp/assimp
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1d24b85319bd7Fix glTF2 ImportAnimations null deref on invalid target node (#6646)
1 file changed · +16 −2
code/AssetLib/glTF2/glTF2Importer.cpp+16 −2 modified@@ -1612,10 +1612,17 @@ void glTF2Importer::ImportAnimations(glTF2::Asset &r) { int j = 0; for (auto &iter : samplers) { if ((nullptr != iter.second.rotation) || (nullptr != iter.second.scale) || (nullptr != iter.second.translation)) { - ai_anim->mChannels[j] = CreateNodeAnim(r, r.nodes[iter.first], iter.second); + Ref<Node> targetNode = r.nodes.Get(iter.first); + Node *nodePtr = targetNode ? targetNode.operator->() : nullptr; + if (!nodePtr) { + ASSIMP_LOG_WARN("Animation ", anim.name, ": Invalid target node index ", iter.first, ". Skipping channel."); + continue; + } + ai_anim->mChannels[j] = CreateNodeAnim(r, *nodePtr, iter.second); ++j; } } + ai_anim->mNumChannels = j; } ai_anim->mNumMorphMeshChannels = numMorphMeshChannels; @@ -1625,10 +1632,17 @@ void glTF2Importer::ImportAnimations(glTF2::Asset &r) { int j = 0; for (auto &iter : samplers) { if (nullptr != iter.second.weight) { - ai_anim->mMorphMeshChannels[j] = CreateMeshMorphAnim(r, r.nodes[iter.first], iter.second); + Ref<Node> targetNode = r.nodes.Get(iter.first); + Node *nodePtr = targetNode ? targetNode.operator->() : nullptr; + if (!nodePtr) { + ASSIMP_LOG_WARN("Animation ", anim.name, ": Invalid target node index ", iter.first, ". Skipping morph channel."); + continue; + } + ai_anim->mMorphMeshChannels[j] = CreateMeshMorphAnim(r, *nodePtr, iter.second); ++j; } } + ai_anim->mNumMorphMeshChannels = j; } // Use the latest key-frame for the duration of the animation
Vulnerability mechanics
Root cause
"Missing null-pointer validation when accessing a node from LazyDict in ImportAnimations allows a crafted glTF file to trigger a null pointer dereference."
Attack vector
An attacker provides a crafted glTF 2.0 file where animation channels reference a node index whose LazyDict slot is null (e.g., animations are defined without a matching nodes array). When Assimp parses this file, `ImportAnimations` calls `r.nodes[iter.first]` which dereferences the null pointer, causing a segmentation fault. The attack requires local access to load the malicious file, and the precondition is that the input glTF file has animations but no valid nodes array [ref_id=1].
Affected code
The vulnerability resides in `glTF2Importer.cpp` within the `ImportAnimations` function, which calls `glTF2::LazyDict<Node>::operator[]` in `glTF2Asset.h`. The code directly dereferences a node pointer from the LazyDict without validating whether the pointer is null, leading to a crash when a malformed glTF file defines animations but lacks a corresponding nodes array [ref_id=1].
What the fix does
The patch replaces the direct `r.nodes[iter.first]` call with `r.nodes.Get(iter.first)`, which returns a `Ref<Node>` that can be null-checked. A raw pointer `nodePtr` is extracted and validated; if null, the channel is skipped with a warning log instead of crashing. Additionally, `mNumChannels` and `mNumMorphMeshChannels` are set to the actual count `j` after skipping invalid entries, preventing out-of-bounds access on the channel arrays [patch_id=4018976].
Preconditions
- inputThe attacker must supply a glTF 2.0 file that contains animation definitions but lacks a valid nodes array, causing LazyDict slots to be null.
- networkThe attack is local; the user must open the malicious file with an application using the Assimp library.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7News mentions
0No linked articles in our index yet.