CVE-2020-28610 is a medium severity vulnerability identified in version 5.1.1 of the CGAL Project's libcgal library, specifically within the Nef polygon-parsing functionality. The root cause is improper validation of array indices (CWE-129) in the code handling polygon data structures. The vulnerability manifests as an out-of-bounds (OOB) read and type confusion triggered by specially crafted malformed input files. The affected code is located in the SM_io_parser<Decorator_>::read_vertex() and set_face() functions within the Nef_S2/SM_io_parser.h file. An attacker can exploit this by supplying malicious polygon files that cause the parser to read beyond the bounds of allocated arrays, leading to memory corruption. This memory corruption can result in type confusion, which may allow an attacker to execute arbitrary code within the context of the vulnerable application. The vulnerability does not require authentication but does require the application to process attacker-controlled polygon files, which implies user interaction or automated processing of untrusted inputs. No known exploits have been reported in the wild, and no official patches or fixes have been linked in the provided data. The vulnerability affects only CGAL version 5.1.1, a computational geometry library widely used in scientific computing, CAD, GIS, and other domains requiring complex geometric computations.

European organizations utilizing CGAL libcgal 5.1.1 in their software stacks, especially those involved in CAD, GIS, scientific research, or engineering applications, face risks including unauthorized code execution, data corruption, and potential system compromise. Exploitation could lead to loss of confidentiality if sensitive data is accessed, integrity violations through corrupted geometric data, and availability issues if the application crashes or behaves unpredictably. Given the specialized nature of CGAL, the impact is likely concentrated in sectors relying on computational geometry, such as aerospace, automotive, manufacturing, and geospatial services. Compromise of such systems could disrupt critical design and analysis workflows, leading to operational delays and financial losses. Additionally, if these systems are integrated into larger enterprise environments or connected to networks, the vulnerability could serve as a foothold for lateral movement or further attacks. The lack of known exploits reduces immediate threat but does not eliminate risk, especially as attackers may develop exploits over time.

Upgrade to a later, patched version of CGAL libcgal once available, as no patch is currently linked for version 5.1.1. Implement strict input validation and sanitization on all polygon files before processing, including rejecting malformed or suspicious files. Employ sandboxing or containerization for applications processing untrusted polygon data to limit potential damage from exploitation. Monitor application logs for unusual parsing errors or crashes that could indicate exploitation attempts. Restrict access to systems processing CGAL polygon files to trusted users and networks to reduce exposure. Conduct code audits and static analysis on custom software integrating libcgal to identify and remediate unsafe handling of polygon data. Where feasible, replace or supplement CGAL components with alternative libraries that have active maintenance and security support.