{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-10197", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-05-31T06:13:33.390Z", "datePublished": "2026-05-31T22:00:12.850Z", "dateUpdated": "2026-06-01T13:25:09.990Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-05-31T22:00:12.850Z"}, "title": "Assimp TF File glTF2Importer.cpp ImportEmbeddedTextures null pointer dereference", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-476", "lang": "en", "description": "NULL Pointer Dereference"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "n/a", "product": "Assimp", "versions": [{"version": "6.0.0", "status": "affected"}, {"version": "6.0.1", "status": "affected"}, {"version": "6.0.2", "status": "affected"}, {"version": "6.0.3", "status": "affected"}, {"version": "6.0.4", "status": "affected"}], "cpes": ["cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*"], "modules": ["TF File Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-05-31T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-05-31T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-05-31T08:18:50.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "TYGLS (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/367477", "name": "VDB-367477 | Assimp TF File glTF2Importer.cpp ImportEmbeddedTextures null pointer dereference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/367477/cti", "name": "VDB-367477 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/cve/CVE-2026-10197", "name": "CVE-2026-10197 | CVE Analysis and Report", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/821177", "name": "Submit #821177 | Assimp commit 17c12da NULL Pointer Dereference", "tags": ["third-party-advisory"]}, {"url": "https://github.com/assimp/assimp/issues/6608", "tags": ["issue-tracking"]}, {"url": "https://github.com/user-attachments/files/27193894/poc.zip", "tags": ["exploit"]}, {"url": "https://github.com/assimp/assimp/pull/6645", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/assimp/assimp/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-01T13:24:57.546743Z", "id": "CVE-2026-10197", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-01T13:25:09.990Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Assimp TF File glTF2Importer.cpp ImportEmbeddedTextures null pointer dereference", "credits": [{"lang": "en", "type": "reporter", "value": "TYGLS (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["TF File Handler"], "product": "Assimp", "versions": [{"status": "affected", "version": "6.0.0"}, {"status": "affected", "version": "6.0.1"}, {"status": "affected", "version": "6.0.2"}, {"status": "affected", "version": "6.0.3"}, {"status": "affected", "version": "6.0.4"}]}], "timeline": [{"lang": "en", "time": "2026-05-31T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-05-31T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-05-31T08:18:50.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/367477", "name": "VDB-367477 | Assimp TF File glTF2Importer.cpp ImportEmbeddedTextures null pointer dereference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/367477/cti", "name": "VDB-367477 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/cve/CVE-2026-10197", "name": "CVE-2026-10197 | CVE Analysis and Report", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/821177", "name": "Submit #821177 | Assimp commit 17c12da NULL Pointer Dereference", "tags": ["third-party-advisory"]}, {"url": "https://github.com/assimp/assimp/issues/6608", "tags": ["issue-tracking"]}, {"url": "https://github.com/user-attachments/files/27193894/poc.zip", "tags": ["exploit"]}, {"url": "https://github.com/assimp/assimp/pull/6645", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/assimp/assimp/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "NULL Pointer Dereference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "Denial of Service"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-05-31T22:00:12.850Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-10197", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-01T13:24:57.546743Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-06-01T13:25:06.081Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-10197", "state": "PUBLISHED", "dateUpdated": "2026-05-31T22:00:12.850Z", "dateReserved": "2026-05-31T06:13:33.390Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-05-31T22:00:12.850Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance."}], "id": "CVE-2026-10197", "lastModified": "2026-06-01T15:15:37.293", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-05-31T22:16:54.150", "references": [{"source": "[email protected]", "url": "https://github.com/assimp/assimp/"}, {"source": "[email protected]", "url": "https://github.com/assimp/assimp/issues/6608"}, {"source": "[email protected]", "url": "https://github.com/assimp/assimp/pull/6645"}, {"source": "[email protected]", "url": "https://github.com/user-attachments/files/27193894/poc.zip"}, {"source": "[email protected]", "url": "https://vuldb.com/cve/CVE-2026-10197"}, {"source": "[email protected]", "url": "https://vuldb.com/submit/821177"}, {"source": "[email protected]", "url": "https://vuldb.com/vuln/367477"}, {"source": "[email protected]", "url": "https://vuldb.com/vuln/367477/cti"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "assimp: Assimp: Denial of Service via null pointer dereference in glTF2Importer", "id": "2483755", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483755"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in Assimp. A local user with access to the system could exploit a null pointer dereference vulnerability in the `glTF2Importer::ImportEmbeddedTextures` function. This flaw could lead to a Denial of Service (DoS), making the application unavailable."], "mitigation": {"lang": "en:us", "value": "Users should avoid processing untrusted glTF2 files with applications that rely on the Assimp library. This vulnerability requires local access and the processing of a specially crafted file to trigger the null pointer dereference, leading to a denial of service."}, "name": "CVE-2026-10197", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "qt6-qtquick3d", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "qt5-qt3d", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-31T22:00:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-10197\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-10197\nhttps://github.com/assimp/assimp/\nhttps://github.com/assimp/assimp/issues/6608\nhttps://github.com/assimp/assimp/pull/6645\nhttps://github.com/user-attachments/files/27193894/poc.zip\nhttps://vuldb.com/cve/CVE-2026-10197\nhttps://vuldb.com/submit/821177\nhttps://vuldb.com/vuln/367477\nhttps://vuldb.com/vuln/367477/cti"], "statement": "This Moderate impact null pointer dereference vulnerability in Assimp's glTF2Importer requires local system access to trigger a Denial of Service. While the flaw can make an application unavailable, its local nature limits the overall risk to Red Hat products.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.0.4"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Assimp", "source": "cna", "vendor": "n/a"}, "product": "assimp", "vendor": "assimp"}], "created": "2026-05-31T23:30:14.460619+00:00", "updated": "2026-05-31T23:30:14.836948+00:00", "vendors": ["assimp", "assimp$PRODUCT$assimp"]}