CVE-2025-5167: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in Open Asset Import Library (Assimp) version 5.4.3, identified as CVE-2025-5167. The vulnerability affects the LWOImporter::GetS0 function in the library file assimp/code/AssetLib/LWO/LWOLoader.h, where an out-of-bounds read can occur. The issue was discovered through fuzzing and requires local access to exploit (GitHub Issue).

The vulnerability is an out-of-bounds read in the LWOImporter::GetS0 function. The function contains a check for buffer size and warns "LWO: Invalid file, string is too long", but despite this warning, it still includes one past-the-end byte in the string output if the data is not null-terminated. The issue has been assigned a CVSS v3.1 score of 3.3 (LOW) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L and is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability has a low severity impact, primarily affecting the availability of the system. The out-of-bounds read could potentially cause application crashes or unexpected behavior when processing malformed LWO files (VulDB).

The project has acknowledged the issue and has decided to collect all fuzzer bugs in a main tracking issue for future addressing. Currently, there is no official patch available. Users are advised to monitor the project's GitHub repository for updates (GitHub Issue).