CVE-2025-5201: 
Linux Debian vulnerability analysis and mitigation

A vulnerability has been identified in Open Asset Import Library (Assimp) version 5.4.3, tracked as CVE-2025-5201. The issue affects the LWOImporter::CountVertsAndFacesLWO2 function in the file assimp/code/AssetLib/LWO/LWOLoader.cpp, where an out-of-bounds read vulnerability exists. The vulnerability was discovered and disclosed to the public in May 2025 (NVD).

The vulnerability stems from improper memory handling in the LWOImporter::CountVertsAndFacesLWO2 function. The code assumes that the end pointer is 2-byte-aligned, but when it is not, the memcpy operation reads out of bounds. Additionally, the numIndices variable is used in a loop condition without proper boundary checks, leading to potential buffer overflows. The issue has been assigned CVSS v3.1 Base Score of 3.3 (LOW) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (Github Issue).

The vulnerability allows for out-of-bounds read operations, which could potentially lead to information disclosure or application crashes. The attack requires local access to be exploited, limiting its potential impact. The vulnerability primarily affects the integrity of memory operations when processing LWO format files (NVD).

The project team has acknowledged the vulnerability and is tracking it along with other fuzzer-detected bugs. Currently, there is no official patch available, as the project has decided to address these issues collectively in the future (Github Issue).