2483753 – (CVE-2026-10199) CVE-2026-10199 assimp: Assimp: Denial of Service via null pointer dereference in glTF2::LazyDict

Bug 2483753 (CVE-2026-10199) - CVE-2026-10199 assimp: Assimp: Denial of Service via null pointer dereference in glTF2::LazyDict

Summary: CVE-2026-10199 assimp: Assimp: Denial of Service via null pointer dereference...

Keywords:
Status:	NEW
Alias:	CVE-2026-10199
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-01 15:27 UTC by Keith Grant
Modified:	2026-06-02 12:09 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Keith Grant 2026-06-01 15:27:51 UTC

A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.

Note You need to log in before you can comment on or make changes to this bug.