CVE-2025-57108

NameCVE-2025-57108
DescriptionKitware VTK (Visualization Toolkit) through 9.5.0 contains a heap use-after-free vulnerability in vtkGLTFDocumentLoader. The vulnerability manifests during mesh object copy operations where vector members are accessed after the underlying memory has been freed, specifically when handling GLTF files with corrupted or invalid mesh reference structures.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1119823

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vtk9 (PTS)bullseye9.0.1+dfsg1-8vulnerable
bookworm9.1.0+really9.1.0+dfsg2-5vulnerable
trixie9.3.0+dfsg1-4vulnerable
forky, sid9.5.2+dfsg2-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vtk9source(unstable)(unfixed)1119823

Notes

https://gitlab.kitware.com/vtk/vtk/-/issues/19736
Search for package or bug name: Reporting problems