CVE-2025-5168: 
Linux Debian vulnerability analysis and mitigation

A vulnerability has been identified in Open Asset Import Library (Assimp) version 5.4.3, tracked as CVE-2025-5168. The issue affects the MDLImporter::ImportUVCoordinate3DGSMDL345 function in the file assimp/code/AssetLib/MDL/MDLLoader.cpp. This vulnerability has been rated as problematic and requires local access to exploit (NVD CVE).

The vulnerability is characterized as an out-of-bounds read issue that occurs when manipulating the iIndex argument in the MDLImporter::ImportUVCoordinate3DGSMDL345 function. The root cause stems from improper validation of pcHeader->synctype, which when negative, allows for large numbers in iIndex leading to heap buffer overflow. The vulnerability has received a CVSS v3.1 Base Score of 3.3 (LOW) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (GitHub Issue).

The vulnerability results in a heap-buffer-overflow condition that could lead to unauthorized read access of memory locations. While the impact is considered low due to the local access requirement and limited exploitation potential, it could potentially affect system stability or lead to information disclosure (NVD CVE).

The project team has acknowledged the issue and decided to collect all fuzzer bugs in a main tracking issue for future addressing. Currently, there is no official patch available, and the vulnerability remains unfixed in the affected version (GitHub Epic).