CVE-2025-3160

NameCVE-2025-3160
DescriptionA vulnerability has been found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This vulnerability affects the function Assimp::SceneCombiner::AddNodeHashes of the file code/Common/SceneCombiner.cpp of the component File Handler. The manipulation leads to out-of-bounds read. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as a0993658f40d8e13ff5823990c30b43c82a5daf0. It is recommended to apply a patch to fix this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
assimp (PTS)bullseye5.0.1~ds0-2vulnerable
bookworm5.2.5~ds0-1vulnerable
sid, trixie5.4.3+ds-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
assimpsource(unstable)(unfixed)

Notes

https://github.com/assimp/assimp/issues/6025
https://github.com/assimp/assimp/pull/6049
Fixed by: https://github.com/assimp/assimp/commit/4b8f55cc0008af43a8a50b91f0134e2f4e80142e

Search for package or bug name: Reporting problems