CVE-2025-11274: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was identified in Open Asset Import Library Assimp 6.0.2, specifically affecting the Q3DImporter::InternReadFile function in the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. The vulnerability was discovered on September 18, 2025, and publicly disclosed on October 4, 2025. This security issue involves uncontrolled allocation of resources that requires local access for exploitation (VulDB).

The vulnerability occurs in the Q3DImporter::InternReadFile function where the importer reads the number of materials (numMats) directly from the input file without proper validation. When this value is used in materials.reserve(numMats), a malicious file can specify an extremely large value, causing the program to request an allocation that exceeds addressable memory. The vulnerability has been assigned CVSS v3.1 Base Score of 3.3 (LOW) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L and is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption) (GitHub Issue, VulDB).

The successful exploitation of this vulnerability can lead to a denial of service condition through resource exhaustion. When exploited, the program crashes with an allocation-size-too-big error under AddressSanitizer (ASan), causing the process to terminate (GitHub Issue).