PYSEC-2025-226

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/vtk/PYSEC-2025-226.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2025-226
Aliases
Published
2025-10-31T15:15:42.550Z
Modified
2026-05-20T09:19:22.013831Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Kitware VTK (Visualization Toolkit) through 9.5.0 contains a heap use-after-free vulnerability in vtkGLTFDocumentLoader. The vulnerability manifests during mesh object copy operations where vector members are accessed after the underlying memory has been freed, specifically when handling GLTF files with corrupted or invalid mesh reference structures.

References

Affected packages

PyPI / vtk

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.5.1

Affected versions

8.*
8.1.0
8.1.1
8.1.2
9.*
9.0.0
9.0.1
9.0.2
9.0.3
9.1.0
9.2.2
9.2.4
9.2.5
9.2.6
9.3.0
9.3.1
9.3.20230807rc0
9.4.0
9.4.1
9.4.2
9.5.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/vtk/PYSEC-2025-226.yaml"