Bug 2407262 (CVE-2025-14439, GHSA-grjp-54v3-c442) - CVE-2025-14439 usd: OpenUSD: Remote Code Execution via a specially crafted file
Summary: CVE-2025-14439 usd: OpenUSD: Remote Code Execution via a specially crafted file
Keywords:
Status: NEW
Alias: CVE-2025-14439, GHSA-grjp-54v3-c442
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2422275 2422276
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-29 23:06 UTC by OSIDB Bzimport
Modified: 2026-02-13 13:14 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-29 23:06:00 UTC
# Patch
This is fixed with [commit b953092](https://github.com/PixarAnimationStudios/OpenUSD/commit/b9530922b6a8ea72cd43661226b693fff8abbe4c), with the fix available in OpenUSD 25.11 and onwards.

# Summary
We have been advised by Zero Day Initiative that our usage of the USD framework may constitute a Use-After-Free Remote Code Execution Vulnerability. They have sent us the attached file illustrating the issue. Indeed, we see a use after free exception when running the file through our importer with an address sanitizer.

[zdi-23709-poc0.zip](https://github.com/user-attachments/files/17474297/zdi-23709-poc0.zip)

Thanks in advance.


Note You need to log in before you can comment on or make changes to this bug.