VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10230

CVE-2026-10230

Description

Heap-buffer-overflow in Assimp 6.0.4 and earlier in HL1MDLLoader::read_animations() allows crash via malformed MDL file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-buffer-overflow in Assimp 6.0.4 and earlier in HL1MDLLoader::read_animations() allows crash via malformed MDL file.

Vulnerability

A heap-based buffer overflow vulnerability exists in Assimp up to version 6.0.4 in the function Assimp::MDL::HalfLife::HL1MDLLoader::read_animations() located in HL1MDLLoader.cpp. The parser allocates an array of size 1 but writes a second element out of bounds, lacking array boundary validation. This occurs when processing a specially crafted Half-Life 1 MDL file [1].

Exploitation

An attacker must provide a malformed .mdl file to a user or application that attempts to load it using Assimp. The vulnerability is triggered locally when the file is parsed. No authentication or special privileges are required beyond user interaction to open the file. The exploit is publicly available and may be used to reproduce the crash [1].

Impact

A successful exploit leads to a heap-buffer-overflow, resulting in a program crash (denial of service). Depending on memory layout, it could potentially allow further memory corruption, but the primary impact reported is a crash [1].

Mitigation

As of the report date, no official fix has been released. The project has tagged the issue as a bug [1]. Users should avoid loading untrusted MDL files as a workaround. Monitor the Assimp repository for future patches [2].

References
  1. Bug: Heap Buffer Overflow in Assimp HL1MDLLoader::read_animations()
  2. GitHub - assimp/assimp: The official Open-Asset-Importer-Library Repository. Loads 40+ 3D-file-formats into one unified and clean data structure.

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
3e188e676873

HL1MDLLoader: fix segfault in destructors (#6537)

https://github.com/assimp/assimpOliver ChangFeb 22, 2026Fixed in 6.0.5via llm-release-walk
commit
1 file changed · +2 2
  • code/AssetLib/MDL/HalfLife/HL1MDLLoader.cpp+2 2 modified
    @@ -971,7 +971,7 @@ void HL1MDLLoader::read_animations() {
 
     pseqdesc = get_buffer_data<SequenceDesc_HL1>(header_->seqindex, header_->numseq);
 
-    aiAnimation **scene_animations_ptr = scene_->mAnimations = new aiAnimation *[scene_->mNumAnimations];
+    aiAnimation **scene_animations_ptr = scene_->mAnimations = new aiAnimation *[scene_->mNumAnimations]();
 
     for (int sequence = 0; sequence < header_->numseq; ++sequence, ++pseqdesc) {
         pseqgroup = get_buffer_data<SequenceGroup_HL1>(header_->seqgroupindex + pseqdesc->seqgroup * sizeof(SequenceGroup_HL1), 1);
@@ -992,7 +992,7 @@ void HL1MDLLoader::read_animations() {
             scene_animation->mTicksPerSecond = pseqdesc->fps;
             scene_animation->mDuration = static_cast<double>(pseqdesc->fps) * pseqdesc->numframes;
             scene_animation->mNumChannels = static_cast<unsigned int>(header_->numbones);
-            scene_animation->mChannels = new aiNodeAnim *[scene_animation->mNumChannels];
+            scene_animation->mChannels = new aiNodeAnim *[scene_animation->mNumChannels]();
 
             for (int bone = 0; bone < header_->numbones; bone++, ++pbone, ++panim) {
                 aiNodeAnim *node_anim = scene_animation->mChannels[bone] = new aiNodeAnim();

Vulnerability mechanics

Root cause

"Missing array boundary validation in `read_animations()` causes a heap-buffer-overflow when writing a second animation element into an array allocated with size 1."

Attack vector

An attacker provides a malformed Half-Life 1 MDL file that triggers the bug during parsing. The file is loaded locally (e.g., via `assimp_fuzzer` or any application using Assimp's MDL importer). The parser allocates an array of size 1 but writes a second element out of bounds because it lacks array boundary validation [CWE-122] [ref_id=1].

Affected code

The vulnerability resides in `Assimp::MDL::HalfLife::HL1MDLLoader::read_animations()` in `HL1MDLLoader.cpp` (line 989). The parser allocates an animation array of size 1 but writes a second element out of bounds, causing a heap-buffer-overflow [ref_id=1].

What the fix does

The advisory does not include a patch diff. The recommended fix is to add array boundary validation in `read_animations()` so that writes beyond the allocated animation array are prevented [ref_id=1]. Without such a check, the parser writes past the end of the heap-allocated buffer, leading to a crash or potential memory corruption.

Preconditions

  • inputThe attacker must supply a malformed Half-Life 1 MDL file.
  • inputThe file must be parsed by the Assimp library (e.g., via the MDL importer).
  • networkThe attack is local (CVSS:3.1/AV:L).

Reproduction

1. Clone the Assimp repository and build with AddressSanitizer (clang, `-fsanitize=address -O0 -g`). 2. Run the fuzzer on the provided PoC file: `./assimp_fuzzer ./poc.mdl`. 3. ASAN reports a heap-buffer-overflow write at `HL1MDLLoader.cpp:989` [ref_id=1].

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1