CVE-2020-35635 is a vulnerability identified in the Computational Geometry Algorithms Library (CGAL), specifically in version 5.1.1 of the libcgal component. The flaw resides in the Nef polygon-parsing functionality, within the source files Nef_S2/SNC_io_parser.h, particularly in the functions SNC_io_parser::read_sface() and store_sm_boundary_item(). The vulnerability is classified as CWE-129, which indicates improper validation of array indices. This improper validation leads to an out-of-bounds (OOB) read condition and subsequent type confusion. An attacker can exploit this by crafting a malformed input file that triggers the vulnerable code path. The OOB read can cause the program to access memory outside the intended bounds, potentially leading to memory corruption. The type confusion that follows can allow an attacker to manipulate the program's control flow, potentially resulting in arbitrary code execution. This vulnerability is triggered by processing maliciously crafted polygon data files, and does not require prior authentication or elevated privileges. No known exploits have been reported in the wild, and no official patches or fixes are linked in the provided data. The vulnerability affects CGAL version 5.1.1, a widely used open-source library for computational geometry, which is often integrated into various software products and research tools that require geometric computations.

For European organizations, the impact of this vulnerability depends largely on the extent to which CGAL 5.1.1 is embedded within their software stacks. CGAL is commonly used in academic, scientific, engineering, and CAD (Computer-Aided Design) applications. Organizations in sectors such as aerospace, automotive, manufacturing, and research institutions that rely on geometric computations could be at risk. Exploitation could lead to unauthorized code execution, potentially allowing attackers to compromise confidentiality, integrity, and availability of affected systems. This could result in intellectual property theft, disruption of critical design or manufacturing processes, or the introduction of malicious modifications into design files. Since the vulnerability can be triggered by processing a maliciously crafted file, any system that imports or processes external polygon data without sufficient validation is at risk. The lack of known exploits suggests a low current threat level, but the potential for code execution elevates the risk if exploited. The impact is heightened for organizations that use automated pipelines or services that parse polygon data from untrusted sources, as these could be leveraged as attack vectors.

1. Immediate mitigation involves auditing all software components and tools to identify usage of CGAL version 5.1.1, especially those that handle polygon data parsing. 2. Where possible, upgrade to a later, patched version of CGAL once available. In the absence of an official patch, consider applying community or vendor-provided patches or workarounds that address the array index validation in SNC_io_parser. 3. Implement strict input validation and sanitization for all polygon data files before processing, including rejecting malformed or suspicious files. 4. Employ sandboxing or process isolation techniques for applications that parse polygon data to limit the impact of potential exploitation. 5. Monitor logs and network activity for unusual behavior related to polygon data processing components. 6. Restrict access to polygon data processing services to trusted sources only, minimizing exposure to malicious inputs. 7. For development teams, conduct code reviews focusing on array index validation and memory safety in polygon parsing modules. 8. Incorporate fuzz testing targeting the Nef polygon parsing functionality to detect similar vulnerabilities proactively.