CVE-2026-10197
Description
A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-10197 NameCVE-2026-10197 DescriptionA vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It isβ¦
CVE-2026-10197
| Name | CVE-2026-10197 |
| Description | A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| assimp (PTS) | bullseye | 5.0.1~ds0-2 | vulnerable |
| bookworm | 5.2.5~ds0-1 | vulnerable | |
| trixie | 5.4.3+ds-2 | vulnerable | |
| forky, sid | 6.0.5+ds-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| assimp | source | (unstable) | (unfixed) |
Notes
https://github.com/assimp/assimp/issues/6608
https://github.com/assimp/assimp/pull/6645
Apply commands
https://github.com/assimp/assimp/issues/6608https://github.com/assimp/assimp/pull/6645OS impact
Debian Affected 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | β |
| sid | Affected | β |
| forky | Affected | β |
| bullseye | Affected | β |
| bookworm | Affected | β |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
References
- https://github.com/assimp/assimp/
- https://github.com/assimp/assimp/issues/6608
- https://github.com/assimp/assimp/pull/6645
- https://github.com/user-attachments/files/27193894/poc.zip
- https://vuldb.com/cve/CVE-2026-10197
- https://vuldb.com/submit/821177
- https://vuldb.com/vuln/367477
- https://vuldb.com/vuln/367477/cti
- https://www.suse.com/security/cve/CVE-2026-10197.html
- https://security-tracker.debian.org/tracker/CVE-2026-10197
CWEs
CWE-404 CWE-476
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.