CVE-2025-5165: 
Linux Debian vulnerability analysis and mitigation

A vulnerability has been identified in Open Asset Import Library Assimp version 5.4.3, tracked as CVE-2025-5165. The issue affects the MDCImporter::ValidateSurfaceHeader function in the file assimp/code/AssetLib/MDC/MDCLoader.cpp. The vulnerability is characterized by an out-of-bounds read condition that occurs when manipulating the pcSurface2 argument. The vulnerability was discovered and disclosed on May 25, 2025 (VulDB, NVD).

The vulnerability stems from incomplete header validation in the MDCImporter::ValidateSurfaceHeader function. Specifically, the code fails to check whether pcSurf->ulOffsetEnd is within bounds, leading to pcSurface2 being set to memory beyond the file's end. This results in a heap-based buffer overflow when accessing the memory. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (GitHub Issue).

The vulnerability affects the availability of the system through an out-of-bounds read condition. The impact is considered low as it requires local access to exploit, and there are no direct impacts on confidentiality or integrity of the system (VulDB).

Currently, there are no specific mitigation measures or workarounds documented for this vulnerability. The project has decided to collect all Fuzzer bugs in a main issue to address them in the future (GitHub Epic).