CVE-2025-5166: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was found in Open Asset Import Library (Assimp) version 5.4.3, identified as CVE-2025-5166. The issue affects the MDCImporter::InternReadFile function in the file assimp/code/AssetLib/MDC/MDCLoader.cpp, specifically in the MDC File Parser component. The vulnerability was discovered and disclosed in May 2025 (NVD, Debian).

The vulnerability is classified as an out-of-bounds read issue, occurring when the function fails to properly validate whether the pcVerts pointer is within the file boundaries. The CVSS v4.0 score is 4.8 (Medium) with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, while the CVSS v3.1 score is 3.3 (Low) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability allows for an out-of-bounds read condition when processing MDC files, which could potentially lead to application crashes or information disclosure. The issue affects multiple versions of the software across different distributions including Debian Bullseye, Bookworm, and Sid/Trixie (Debian).

Currently, there is no official fix available for this vulnerability. The project has decided to collect all fuzzer bugs in a main issue to address them in the future (GitHub Issue). Users are advised to monitor the project's GitHub repository for updates and patches.