CVE-2026-10199

LOW 3.3

Assimp glTF2Asset.h LazyDict null pointer dereference

CVSS Score

3.3

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue.

CWE	CWE-476 CWE-404
Vendor	n/a
Product	assimp
Published	May 31, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for n/a assimp

Be the first to know when new low vulnerabilities affecting n/a assimp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

n/a / Assimp

6.0.0 6.0.1 6.0.2 6.0.3 6.0.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/367479 vuldb.com: https://vuldb.com/vuln/367479/cti vuldb.com: https://vuldb.com/cve/CVE-2026-10199 vuldb.com: https://vuldb.com/submit/821179 github.com: https://github.com/assimp/assimp/issues/6611 github.com: https://github.com/assimp/assimp/pull/6646 github.com: https://github.com/user-attachments/files/27194148/poc.zip github.com: https://github.com/assimp/assimp/commit/d24b85319bd70c65883a2b96613e07e23fb95981 github.com: https://github.com/assimp/assimp/

Credits

🔍 TYGLS (VulDB User)