Five Memory-Safety Bugs Disclosed in Assimp glTF and FBX Parsers — Exploits Public, No Patch Available
Five memory-safety vulnerabilities — including a remotely exploitable heap buffer overflow — have been disclosed in the Assimp 3D library, with exploit code already public and no patch released as of June 1, 2026.
Five memory-safety vulnerabilities were disclosed collectively on May 31–June 1, 2026 in Assimp (Open Asset Import Library), the widely used open-source 3D model import library. Affecting all versions up to and including 6.0.4, the batch includes four null pointer dereferences in the glTF import code path and a heap-based buffer overflow in the 4x4 matrix parser. Critically, exploit code for all five CVEs has been made public, raising the immediate risk for any application that ingests untrusted 3D models via Assimp. No patch has been released as of publication Vypr Intelligence.
Four of the five bugs are null pointer dereferences clustered in the glTF2 importer. CVE-2026-10197 (CVSS 3.3, Low) triggers a null pointer dereference in glTF2Importer::ImportEmbeddedTextures inside code/AssetLib/glTF2/glTF2Importer.cpp when handling embedded texture data. CVE-2026-10198 (CVSS 3.3, Low) hits the same bug class in Assimp::glTFImporter::ImportMeshes in glTFImporter.cpp. CVE-2026-10199 (CVSS 3.3, Low) is a null pointer dereference in glTF2::LazyDict::operator[] in glTF2Asset.h. All three require local access to exploit, limiting their direct remote exploitability.
The medium-severity outlier is CVE-2026-10200 (CVSS 5.3), a heap-based buffer overflow in glTFCommon::CopyValue inside glTFCommon.h during parsing of a 4x4 matrix. Unlike the null-pointer group, this overflow can be triggered remotely, making it the most dangerous of the batch. A fifth CVE, CVE-2026-10201, a divide-by-zero in the FBX exporter's UV channel handler, rounds out the disclosure Vypr Intelligence.
All five vulnerabilities have publicly available exploit code, which significantly raises the risk for any application or service that ingests untrusted 3D model files via Assimp. The library is embedded in game engines, CAD tools, and content pipelines across the industry, meaning a crafted glTF or FBX file could crash a process or, in the case of the heap overflow, potentially lead to code execution.
As of June 1, 2026, no patch has been released. The Assimp maintainers have not yet published a fixed version. Users of Assimp up to and including version 6.0.4 are advised to monitor the Assimp GitHub repository for a security release and, in the interim, avoid processing untrusted 3D model files with the affected parsers.
This batch underscores a recurring pattern in Assimp's security history: the glTF and FBX parsers, which handle complex, nested data structures, continue to be a source of memory-safety bugs. With exploit code already public and no fix available, the window of exposure is open — users should treat any untrusted glTF or FBX file as a potential attack vector until a patched version ships.
The disclosure, published by Vypr Intelligence on June 1, 2026, provides additional technical detail on the five CVEs: four null pointer dereferences in glTF import functions (CVE-2026-10197, CVE-2026-10198, CVE-2026-10199, and one unnamed) and a heap buffer overflow in glTF 4x4 matrix parsing (CVE-2026-10200), plus a divide-by-zero in the FBX exporter (CVE-2026-10201). All five have public exploit code, and no patch has been released beyond Assimp 6.0.4. The article underscores that the glTF code paths lack proper null checks, a recurring pattern in the library's vulnerability history.