CVE-2025-2756: 
Linux Debian vulnerability analysis and mitigation

A critical heap-based buffer overflow vulnerability (CVE-2025-2756) was discovered in Open Asset Import Library (Assimp) version 5.4.3. The vulnerability affects the Assimp::AC3DImporter::ConvertObjectSection function in the AC3D File Handler component (code/AssetLib/AC/ACLoader.cpp). The vulnerability was disclosed on March 25, 2025 (NVD, CVE).

The vulnerability occurs due to improper boundary checking between the size of vertices (mesh->mNumVertices) and (*it).entries.size() in the ConvertObjectSection function. The manipulation of the argument tmp leads to a heap-based buffer overflow condition. The vulnerability has been assigned CVSS v4.0 score of 5.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N and CVSS v3.1 score of 6.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (NVD).

The vulnerability allows remote attackers to potentially execute arbitrary code by tricking victims into processing malformed AC3D files with Assimp. The heap-based buffer overflow can lead to memory corruption and potential code execution in the context of the application processing the malicious file (GitHub Issue).

As of the vulnerability disclosure, no official patch has been released. The vulnerability affects Assimp version 5.4.3 and potentially later versions. Users are advised to monitor the official Assimp repository for security updates (GitHub Issue).