GHSA-58p5-r2f6-g2cj: 
Python vulnerability analysis and mitigation

A critical Use-After-Free (UAF) vulnerability (GHSA-58p5-r2f6-g2cj) was discovered in the Sdf_PathNode module of the Pixar OpenUSD library. The vulnerability affects usd-core (pip) versions below 25.8 and was disclosed in September 2025. The issue impacts multiple OpenUSD tools including sdfdump, usdtree, usdcat, and sdffilter (GitHub Advisory).

The vulnerability occurs during the deletion of the SdfPrimPathNode object in multi-threaded environments, specifically in SdfPrimPathNode::~SdfPrimPathNode(). When multiple threads attempt to destroy or modify the same SdfPathNode object, a race condition occurs, causing the object to be accessed after it has been freed. This leads to segmentation faults or bus errors in the system (GitHub Advisory).

The vulnerability can result in segmentation faults or bus errors, potentially allowing attackers to execute remote code execution (RCE) attacks. By using a specially crafted .usd file, an attacker could gain control of the affected system. The vulnerability affects multiple OpenUSD tools and could potentially compromise systems processing USD files (GitHub Advisory).

The vulnerability has been patched in OpenUSD version 25.08 and later releases. Users are strongly advised to upgrade to version 25.08 or newer to address this security issue. The fix was implemented in commit 0d74f31 (GitHub Advisory).