CVE-2020-35635: 
Linux Debian vulnerability analysis and mitigation

A code execution vulnerability (CVE-2020-35635) exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1, specifically in NefS2/SNCioparser.h SNCioparser::readsface() storesmboundaryitem() Sloopof OOB read. The vulnerability was disclosed and patches were released in 2021 (Debian Security, Talos Intelligence).

The vulnerability stems from an out-of-bounds read vulnerability in the Nef polygon-parsing code, specifically in the storesmboundaryitem() function handling Sloopof operations. When parsing specially crafted malformed files, the code can lead to an out-of-bounds read and type confusion. The vulnerability has been assigned a CVSS score of 10.0 (Critical) with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (Talos Intelligence).

The vulnerability could lead to code execution if successfully exploited. An attacker can trigger this vulnerability by providing malicious input, potentially leading to arbitrary code execution on the affected system (Debian Security).

The vulnerability has been fixed in multiple versions across different distributions. Debian 10 (buster) users should upgrade to version 4.13-1+deb10u1, while users of other distributions should upgrade to their respective patched versions. For Gentoo users, upgrading to version 5.4.1 or later is recommended (Debian LTS, Gentoo Security).