{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Low" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"assimp security update", "category":"general", "title":"Synopsis" }, { "text":"An update for assimp is now available for openEuler-24.03-LTS-SP3", "category":"general", "title":"Summary" }, { "text":"Assimp is a library to load and process geometric scenes from various data formats. Assimp aims to provide a full asset conversion pipeline for use in game engines and real-time rendering systems of any kind, but is not limited to this purpose.\n\nSecurity Fix(es):\n\nA vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance.(CVE-2026-10197)\n\nA vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.(CVE-2026-10199)", "category":"general", "title":"Description" }, { "text":"An update for assimp is now available for master/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Low", "category":"general", "title":"Severity" }, { "text":"assimp", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2026-2560", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2560" }, { "summary":"CVE-2026-10197", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-10197&packageName=assimp" }, { "summary":"CVE-2026-10199", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-10199&packageName=assimp" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10197" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10199" }, { "summary":"openEuler-SA-2026-2560 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-2560.json" } ], "title":"An update for assimp is now available for openEuler-24.03-LTS-SP3", "tracking":{ "initial_release_date":"2026-06-08T15:01:30+08:00", "revision_history":[ { "date":"2026-06-08T15:01:30+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-06-08T15:01:30+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-06-08T15:01:30+08:00", "id":"openEuler-SA-2026-2560", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"openEuler-24.03-LTS-SP3", "name":"openEuler-24.03-LTS-SP3" }, "name":"openEuler-24.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-5.3.1-19.oe2403sp3.aarch64.rpm", "name":"assimp-5.3.1-19.oe2403sp3.aarch64.rpm" }, "name":"assimp-5.3.1-19.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64.rpm", "name":"assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64.rpm" }, "name":"assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-debugsource-5.3.1-19.oe2403sp3.aarch64.rpm", "name":"assimp-debugsource-5.3.1-19.oe2403sp3.aarch64.rpm" }, "name":"assimp-debugsource-5.3.1-19.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-devel-5.3.1-19.oe2403sp3.aarch64.rpm", "name":"assimp-devel-5.3.1-19.oe2403sp3.aarch64.rpm" }, "name":"assimp-devel-5.3.1-19.oe2403sp3.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-5.3.1-19.oe2403sp3.src.rpm", "name":"assimp-5.3.1-19.oe2403sp3.src.rpm" }, "name":"assimp-5.3.1-19.oe2403sp3.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-5.3.1-19.oe2403sp3.x86_64.rpm", "name":"assimp-5.3.1-19.oe2403sp3.x86_64.rpm" }, "name":"assimp-5.3.1-19.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64.rpm", "name":"assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64.rpm" }, "name":"assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-debugsource-5.3.1-19.oe2403sp3.x86_64.rpm", "name":"assimp-debugsource-5.3.1-19.oe2403sp3.x86_64.rpm" }, "name":"assimp-debugsource-5.3.1-19.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-devel-5.3.1-19.oe2403sp3.x86_64.rpm", "name":"assimp-devel-5.3.1-19.oe2403sp3.x86_64.rpm" }, "name":"assimp-devel-5.3.1-19.oe2403sp3.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"assimp-help-5.3.1-19.oe2403sp3.noarch.rpm", "name":"assimp-help-5.3.1-19.oe2403sp3.noarch.rpm" }, "name":"assimp-help-5.3.1-19.oe2403sp3.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"python3-assimp-5.3.1-19.oe2403sp3.noarch.rpm", "name":"python3-assimp-5.3.1-19.oe2403sp3.noarch.rpm" }, "name":"python3-assimp-5.3.1-19.oe2403sp3.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-5.3.1-19.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.aarch64", "name":"assimp-5.3.1-19.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64", "name":"assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-debugsource-5.3.1-19.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.aarch64", "name":"assimp-debugsource-5.3.1-19.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-devel-5.3.1-19.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.aarch64", "name":"assimp-devel-5.3.1-19.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-5.3.1-19.oe2403sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.src", "name":"assimp-5.3.1-19.oe2403sp3.src as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-5.3.1-19.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.x86_64", "name":"assimp-5.3.1-19.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64", "name":"assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-debugsource-5.3.1-19.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.x86_64", "name":"assimp-debugsource-5.3.1-19.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-devel-5.3.1-19.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.x86_64", "name":"assimp-devel-5.3.1-19.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"assimp-help-5.3.1-19.oe2403sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:assimp-help-5.3.1-19.oe2403sp3.noarch", "name":"assimp-help-5.3.1-19.oe2403sp3.noarch as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"python3-assimp-5.3.1-19.oe2403sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:python3-assimp-5.3.1-19.oe2403sp3.noarch", "name":"python3-assimp-5.3.1-19.oe2403sp3.noarch as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-10197", "notes":[ { "text":"A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.src", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-help-5.3.1-19.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python3-assimp-5.3.1-19.oe2403sp3.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.src", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-help-5.3.1-19.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python3-assimp-5.3.1-19.oe2403sp3.noarch" ], "details":"assimp security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2560" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":3.3, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.src", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-help-5.3.1-19.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python3-assimp-5.3.1-19.oe2403sp3.noarch" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2026-10197" }, { "cve":"CVE-2026-10199", "notes":[ { "text":"A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.src", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-help-5.3.1-19.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python3-assimp-5.3.1-19.oe2403sp3.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.src", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-help-5.3.1-19.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python3-assimp-5.3.1-19.oe2403sp3.noarch" ], "details":"assimp security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2560" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":3.3, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.src", "openEuler-24.03-LTS-SP3:assimp-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debuginfo-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-debugsource-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-devel-5.3.1-19.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:assimp-help-5.3.1-19.oe2403sp3.noarch", "openEuler-24.03-LTS-SP3:python3-assimp-5.3.1-19.oe2403sp3.noarch" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2026-10199" } ] }