CVE-2025-57109

NameCVE-2025-57109
DescriptionKitware VTK (Visualization Toolkit) 9.5.0 is vulnerable to Heap Use-After-Free in vtkGLTFImporter::ImportActors. When processing GLTF files with invalid scene node references, the application accesses string members of mesh objects that have been previously freed during actor import operations.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1119824

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vtk9 (PTS)bullseye9.0.1+dfsg1-8vulnerable
bookworm9.1.0+really9.1.0+dfsg2-5vulnerable
trixie9.3.0+dfsg1-4vulnerable
forky, sid9.5.2+dfsg2-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vtk9source(unstable)(unfixed)1119824

Notes

[trixie] - vtk9 <no-dsa> (Minor issue)
[bookworm] - vtk9 <no-dsa> (Minor issue)
[bullseye] - vtk9 <postponed> (Minor issue)
https://gitlab.kitware.com/vtk/vtk/-/issues/19735
Search for package or bug name: Reporting problems