Nixpkgs security tracker

Permalink CVE-2025-15538

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 3 months ago

Open Asset Import Library Assimp LWOMaterial.cpp FindUVChannels use after free

A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128.

References

VDB-341727 | Open Asset Import Library Assimp LWOMaterial.cpp FindUVChannels use after free vdb-entrytechnical-description
VDB-341727 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #735232 | Open Asset Import Library Assimp 6.0.2 Use After Free third-party-advisory
https://github.com/assimp/assimp/issues/6258 issue-tracking
https://github.com/assimp/assimp/issues/6258#issuecomment-3070999530 issue-tracking
https://github.com/user-attachments/files/21216542/assimp_poc10.zip exploit

Affected products

Assimp

==6.0.1
==6.0.2
==6.0.0

Matching in nixpkgs

pkgs.assimp

Library to import various 3D model formats

nixos-unstable 6.0.2
- nixpkgs-unstable 6.0.2
- nixos-unstable-small 6.0.2
nixos-25.11 6.0.2
- nixpkgs-25.11-darwin 6.0.2

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.assimp