CVE-2020-28611: 
Linux Debian vulnerability analysis and mitigation

Multiple code execution vulnerabilities exist in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. The vulnerability was discovered in February 2021 and affects the CGAL Project libcgal CGAL-5.1.1 software (Talos).

The vulnerability specifically exists in NefS2/SMioparser.h SMioparser::readvertex() setfirstout_edge() function. The issue stems from insufficient validation of array indices when parsing Nef polygon data, allowing out-of-bounds memory access. The vulnerability has a CVSS v3.1 base score of 8.8 HIGH (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) according to NVD, while Talos rates it as 10.0 CRITICAL (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The vulnerability is classified under CWE-129 (Improper Validation of Array Index) and CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability could allow an attacker to achieve code execution by providing malicious input that triggers out-of-bounds read and type confusion issues. This could potentially lead to arbitrary code execution on affected systems (Talos).

The vulnerability has been addressed in newer versions of CGAL. Users are advised to upgrade to version 5.4.1 or later. For Debian 10 (buster), the fix is available in version 4.13-1+deb10u1 (Debian LTS, Gentoo).