CVE-2025-15538
Published: 18 January 2026
Summary
CVE-2025-15538 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Assimp Assimp. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in file parsing library directly enables local execution via crafted malicious asset file (PoC via attachment).
NVD Description
A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed…
more
locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128.
Deeper analysisAI
CVE-2025-15538 is a use-after-free vulnerability in the Open Asset Import Library (Assimp) versions up to 6.0.2. The issue affects the function Assimp::LWOImporter::FindUVChannels in the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. It is also associated with CWE-119 (improper restriction of operations within the bounds of a memory buffer) and CWE-416 (use after free), carrying a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability requires local access to exploit, with low attack complexity and low privileges (PR:L). A successful exploit can result in limited impacts to confidentiality, integrity, and availability, potentially allowing a local attacker to cause memory corruption through crafted input processed by the affected Assimp component. A proof-of-concept exploit has been publicly disclosed and is available via a ZIP file attachment.
Advisories track the issue through Assimp GitHub repository issue #6258 (including a specific comment at #6258#issuecomment-3070999530) and VulDB entries (ctiid.341727 and id.341727), with the defect also referenced under issue #6128. No specific patches or mitigations are detailed in the provided references beyond ongoing issue tracking.
Details
- CWE(s)