CVE-2025-11277: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability has been identified in Open Asset Import Library (Assimp) version 6.0.2, specifically affecting the Q3DImporter::InternReadFile function in the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. The vulnerability was discovered on September 19, 2025, and was assigned CVE-2025-11277. The issue was publicly disclosed on October 4, 2025 (NVD, VulDB).

The vulnerability occurs due to an integer overflow when processing texture data. When extremely large values are provided for texture width and height, their multiplication overflows the unsigned int range, causing the product to wrap around to a small number. This leads to improper memory allocation and subsequent buffer overflow during texture data processing. The vulnerability has received a CVSS v3.1 base score of 7.8 (HIGH) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 4.8 (MEDIUM) (NVD).

Successful exploitation of this vulnerability could lead to heap-based buffer overflow, potentially resulting in arbitrary code execution, application crashes, or denial of service. The attack requires local access to execute the manipulation (Red Hat).

Currently, there is no official patch available for this vulnerability. Red Hat has noted that mitigation options either do not exist or do not meet their Product Security criteria for ease of use, deployment, and stability (Red Hat).