← back
CVE-2020-28622

CVE-2020-28622

CVSS 10 CRITICALEPSS 2.2%CWE-129
In short

A flaw in CGAL's polygon parsing allows attackers to crash the application or run arbitrary code by providing a specially crafted malformed file. The vulnerability occurs when the parser reads data beyond memory boundaries, corrupting how the program understands data types.

Technical detail

An out-of-bounds read vulnerability in CGAL-5.1.1's Nef polygon parser (SNC_io_parser.h) permits remote code execution via malformed geometry files. The attack vector requires the victim to process untrusted polygon data; type confusion resulting from the OOB read enables arbitrary code execution with the privileges of the parsing process.

Summary generated and translated by AI from the official description.
Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser<EW>::read_edge() eh->incident_sface().
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
CGAL Project · libcgal

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://lists.debian.org/debian-lts-announce/2022/12/msg00011.htmlhttps://security.gentoo.org/glsa/202305-34https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225