CVE-2020-35629 is a medium-severity vulnerability affecting the CGAL Project's libcgal library, specifically version 5.1.1. The vulnerability arises from improper validation of array indices (CWE-129) within the Nef polygon-parsing functionality, particularly in the Nef_S2/SNC_io_parser.h component's read_sloop() function. This flaw allows an attacker to supply a specially crafted malformed input file that triggers out-of-bounds (OOB) reads and type confusion errors. The OOB read occurs when the parser accesses array elements without adequate boundary checks, leading to memory corruption. Type confusion can cause the program to interpret data as an incorrect type, potentially enabling arbitrary code execution. Exploiting this vulnerability requires an attacker to provide malicious input files to an application or system that uses libcgal 5.1.1 for polygon parsing. Although no known exploits are currently in the wild, the vulnerability's nature means that successful exploitation could allow remote code execution or cause denial of service by crashing the affected application. The vulnerability does not require authentication but does require user interaction in the form of processing a crafted file. No official patch links are provided, indicating that users must monitor CGAL Project updates or apply manual mitigations. The vulnerability was reserved in December 2020 and publicly disclosed in April 2022, with enrichment from CISA and Talos indicating credible recognition by security entities.

For European organizations, the impact of CVE-2020-35629 depends largely on the use of CGAL libcgal 5.1.1 within their software stacks. CGAL is widely used in computational geometry, CAD, GIS, and scientific research applications. Organizations in sectors such as manufacturing, engineering, geospatial analysis, and academia may rely on software that incorporates libcgal. Exploitation could lead to unauthorized code execution, potentially allowing attackers to compromise confidentiality by accessing sensitive geometric or design data, integrity by manipulating parsed data, or availability by crashing critical applications. Given the specialized nature of CGAL, the threat is more pronounced in organizations that process complex geometric data or use CAD tools integrating libcgal. Disruption in these environments could delay product development, impact research outcomes, or expose intellectual property. Since the vulnerability requires processing a malicious file, phishing or supply chain attacks could be vectors. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

1. Inventory and Identify: European organizations should audit their software environments to identify any use of CGAL libcgal 5.1.1, especially in CAD, GIS, or scientific applications. 2. Update and Patch: Although no official patches are linked, organizations should monitor the CGAL Project for updates or newer versions that address this vulnerability and plan timely upgrades. 3. Input Validation: Implement strict validation and sanitization of all input files processed by applications using libcgal to detect and block malformed or suspicious polygon files. 4. Application Sandboxing: Run applications that parse polygon files in isolated environments or sandboxes to contain potential exploitation impact. 5. Network Controls: Restrict the acceptance of polygon files from untrusted sources and implement network-level controls to prevent delivery of malicious files. 6. User Awareness: Train users in relevant departments to recognize suspicious files and avoid opening untrusted polygon data. 7. Monitoring and Detection: Deploy monitoring tools to detect abnormal application behavior or crashes related to polygon parsing, enabling rapid incident response. 8. Supply Chain Security: Verify the integrity of third-party software and data sources that utilize CGAL to prevent introduction of malicious files.