{ "schema_version": "1.7.0", "id": "MGASA-2026-0170", "published": "2026-06-02T05:23:04Z", "modified": "2026-06-02T04:29:43Z", "summary": "Updated assimp packages fix security vulnerabilities", "details": "CVE-2025-2750,- A vulnerability, which was classified as critical, was\nfound in Open Asset Import Library Assimp 5.4.3. This affects the\nfunction Assimp::CSMImporter::InternReadFile of the file\ncode/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The\nmanipulation leads to out-of-bounds write. It is possible to initiate\nthe attack remotely. The exploit has been disclosed to the public and\nmay be used.\nCVE-2025-2757, A vulnerability classified as critical was found in Open\nAsset Import Library Assimp 5.4.3. This vulnerability affects the\nfunction AI_MD5_PARSE_STRING_IN_QUOTATION of the file\ncode/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The\nmanipulation of the argument data leads to heap-based buffer overflow.\nThe attack can be initiated remotely. The exploit has been disclosed to\nthe public and may be used.\nCVE-2025-2757, A vulnerability classified as critical was found in Open\nAsset Import Library Assimp 5.4.3. This vulnerability affects the\nfunction AI_MD5_PARSE_STRING_IN_QUOTATION of the file\ncode/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The\nmanipulation of the argument data leads to heap-based buffer overflow.\nThe attack can be initiated remotely. The exploit has been disclosed to\nthe public and may be used.\nCVE-2025-3158, A vulnerability, which was classified as critical, has\nbeen found in Open Asset Import Library Assimp 5.4.3. Affected by this\nissue is the function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of\nthe file code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File\nHandler. The manipulation leads to heap-based buffer overflow. It is\npossible to launch the attack on the local host. The exploit has been\ndisclosed to the public and may be used.\nCVE-2025-3548, A vulnerability, which was classified as critical, has\nbeen found in Open Asset Import Library Assimp up to 5.4.3. This issue\naffects the function aiString::Set in the library include/assimp/types.h\nof the component File Handler. The manipulation leads to heap-based\nbuffer overflow. It is possible to launch the attack on the local host.\nThe exploit has been disclosed to the public and may be used. It is\nrecommended to apply a patch to fix this issue.\nCVE-2025-11277, A weakness has been identified in Open Asset Import\nLibrary Assimp 6.0.2. This affects the function\nQ3DImporter::InternReadFile of the file\nassimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can\nlead to heap-based buffer overflow. The attack needs to be launched\nlocally. The exploit has been made available to the public and could be\nused for attacks.\nCVE-2025-70067, Buffer Overflow vulnerability exists in Assimp versions\nup to 6.0.2 in the FBX Importer. The vulnerability occurs in\naiMaterial::AddBinaryProperty, where a property key string from a\ncrafted FBX file is copied into a fixed-size heap buffer using strcpy()\nwithout runtime length validation\n", "upstream": [ "CVE-2025-2750", "CVE-2025-2751", "CVE-2025-2757", "CVE-2025-3158", "CVE-2025-3548", "CVE-2025-11277", "CVE-2025-70067" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2026-0170.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=34439" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYGDCFEL3GZ5PDUZFKEVVISQWAENNBTB/" }, { "type": "WEB", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2LQLM3OX7KPUJNJSKSVDROFQGZRJPVRF/" } ], "affected": [ { "package": { "ecosystem": "Mageia:9", "name": "assimp", "purl": "pkg:rpm/mageia/assimp?arch=source&distro=mageia-9" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.2.5-1.mga9" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }