CVE-2026-14604

NameCVE-2026-14604
DescriptionA vulnerability was determined in Open Asset Import Library Assimp up to 6.0.4. Affected is the function Assimp::Exporter::ExportToBlob of the file code/AssetLib/Ply/PlyLoader.cpp of the component PLY Model Handler. This manipulation causes double free. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
assimp (PTS)bullseye5.0.1~ds0-2vulnerable
bookworm5.2.5~ds0-1vulnerable
trixie5.4.3+ds-2vulnerable
forky, sid6.0.5+ds-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
assimpsource(unstable)(unfixed)

Notes

https://github.com/assimp/assimp/issues/6620

Search for package or bug name: Reporting problems