CVE-2025-15538
Published: 18 January 2026
Summary
CVE-2025-15538 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-15538 is a use-after-free vulnerability in the Open Asset Import Library (Assimp) versions up to 6.0.2. The issue affects the function Assimp::LWOImporter::FindUVChannels in the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. It is also associated with CWE-119 (improper restriction of operations within the bounds of a memory buffer) and CWE-416 (use after free), carrying a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability requires local access to exploit, with low attack complexity and low privileges (PR:L). A successful exploit can result in limited impacts to confidentiality, integrity, and availability, potentially allowing a local attacker to cause memory corruption through crafted input processed by the affected Assimp component. A proof-of-concept exploit has been publicly disclosed and is available via a ZIP file attachment.
Advisories track the issue through Assimp GitHub repository issue #6258 (including a specific comment at #6258#issuecomment-3070999530) and VulDB entries (ctiid.341727 and id.341727), with the defect also referenced under issue #6128. No specific patches or mitigations are detailed in the provided references beyond ongoing issue tracking.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3252
Vulnerability details
A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed…
more
locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in file parsing library directly enables local execution via crafted malicious asset file (PoC via attachment).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements memory protection mechanisms that mitigate use-after-free conditions such as the one in Assimp::LWOImporter::FindUVChannels.
Requires validation of all inputs (e.g., LWO asset files) before processing, blocking the crafted local input that triggers the use-after-free.
Mandates timely identification and remediation of the tracked flaw (#6128) in the Assimp library before exploitation can occur.