OESA-2026-1079

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1079

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2026-1079.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2026-1079

Upstream

CVE-2025-11277

CVE-2025-2152

CVE-2025-2591

Published

2026-01-16T11:57:57Z

Modified

2026-01-16T12:30:15.929483Z

Summary

assimp security update

Details

Assimp is a library to load and process geometric scenes from various data formats. Assimp aims to provide a full asset conversion pipeline for use in game engines and real-time rendering systems of any kind, but is not limited to this purpose.

Security Fix(es):

A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited.(CVE-2025-11277)

A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. This issue affects the function Assimp::BaseImporter::ConvertToUTF8 of the file BaseImporter.cpp of the component File Handler. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.(CVE-2025-2152)

A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function MDLImporter::InternReadFile_Quake1 of the file code/AssetLib/MDL/MDLLoader.cpp. The manipulation of the argument skinwidth/skinheight leads to divide by zero. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is identified as ab66a1674fcfac87aaba4c8b900b315ebc3e7dbd. It is recommended to apply a patch to fix this issue.(CVE-2025-2591)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:24.03-LTS-SP2 / assimp

Package

Name: assimp
Purl: pkg:rpm/openEuler/assimp&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.1-11.oe2403sp2

Ecosystem specific

{
    "aarch64": [
        "assimp-5.3.1-11.oe2403sp2.aarch64.rpm",
        "assimp-debuginfo-5.3.1-11.oe2403sp2.aarch64.rpm",
        "assimp-debugsource-5.3.1-11.oe2403sp2.aarch64.rpm",
        "assimp-devel-5.3.1-11.oe2403sp2.aarch64.rpm"
    ],
    "src": [
        "assimp-5.3.1-11.oe2403sp2.src.rpm"
    ],
    "x86_64": [
        "assimp-5.3.1-11.oe2403sp2.x86_64.rpm",
        "assimp-debuginfo-5.3.1-11.oe2403sp2.x86_64.rpm",
        "assimp-debugsource-5.3.1-11.oe2403sp2.x86_64.rpm",
        "assimp-devel-5.3.1-11.oe2403sp2.x86_64.rpm"
    ],
    "noarch": [
        "assimp-help-5.3.1-11.oe2403sp2.noarch.rpm",
        "python3-assimp-5.3.1-11.oe2403sp2.noarch.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1079.json"