CVE-2026-10199: NULL Pointer Dereference in Assimp
A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.
AI Analysis
Technical Summary
This vulnerability affects Assimp versions 6.0.0 through 6.0.4 in the glTF2::LazyDict function of glTF2Asset.h. The flaw is a null pointer dereference caused by improper handling of the operator[] argument. This can lead to a crash or denial of service when triggered locally. The vulnerability has a CVSS 4.8 (medium) score with local attack vector and low complexity. A patch exists identified by commit d24b85319bd70c65883a2b96613e07e23fb95981, which should be applied to remediate the issue.
Potential Impact
Successful exploitation results in a null pointer dereference, likely causing a denial of service or application crash. The attack requires local access with low privileges and does not require user interaction. There is no indication of remote exploitation or privilege escalation. No known active exploits have been reported.
Mitigation Recommendations
A patch identified by commit d24b85319bd70c65883a2b96613e07e23fb95981 is available and should be applied to affected versions of Assimp (up to 6.0.4) to resolve this vulnerability. Since no official vendor advisory or remediation level is provided, users should verify the patch availability in their Assimp version control or source repository. No additional mitigations are specified.
CVE-2026-10199: NULL Pointer Dereference in Assimp
Description
A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.
CVSS v4.0
Score 4.8medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Assimp versions 6.0.0 through 6.0.4 in the glTF2::LazyDict function of glTF2Asset.h. The flaw is a null pointer dereference caused by improper handling of the operator[] argument. This can lead to a crash or denial of service when triggered locally. The vulnerability has a CVSS 4.8 (medium) score with local attack vector and low complexity. A patch exists identified by commit d24b85319bd70c65883a2b96613e07e23fb95981, which should be applied to remediate the issue.
Potential Impact
Successful exploitation results in a null pointer dereference, likely causing a denial of service or application crash. The attack requires local access with low privileges and does not require user interaction. There is no indication of remote exploitation or privilege escalation. No known active exploits have been reported.
Mitigation Recommendations
A patch identified by commit d24b85319bd70c65883a2b96613e07e23fb95981 is available and should be applied to affected versions of Assimp (up to 6.0.4) to resolve this vulnerability. Since no official vendor advisory or remediation level is provided, users should verify the patch availability in their Assimp version control or source repository. No additional mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-31T06:13:40.131Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1cbac3e29bf47b506c9213
Added to database: 5/31/2026, 10:48:35 PM
Last enriched: 5/31/2026, 11:03:29 PM
Last updated: 6/2/2026, 5:03:03 AM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.