Cyber Resilience

CVE-2026-32845

MediumPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 2.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-32845 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32845, published on 2026-03-23, is an integer overflow vulnerability (CWE-190) affecting cgltf versions 1.15 and prior. The issue resides in the cgltf_validate() function during validation of sparse accessors, where unchecked arithmetic operations on attacker-controlled size values from crafted glTF/GLB input files trigger out-of-bounds reads. This leads to heap buffer over-reads in the cgltf_calc_index_bound() function. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker, requiring no privileges or user interaction, can exploit this vulnerability by supplying malicious glTF/GLB files to applications or services that parse them using the affected cgltf library. Successful exploitation causes heap buffer over-reads, resulting in denial-of-service crashes or potential disclosure of sensitive memory contents.

Mitigation details are available in advisories including the GitHub issue at https://github.com/jkuhlmann/cgltf/issues/287 and the VulnCheck advisory at https://www.vulncheck.com/advisories/jkuhlmann-cgltf-sparse-accessor-validation-integer-overflow.

EU & UK References

Vulnerability details

cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit unchecked arithmetic…

more

operations in sparse accessor validation to cause heap buffer over-reads in cgltf_calc_index_bound(), resulting in denial of service crashes and potential memory disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Crafted glTF/GLB files trigger the integer overflow and heap over-read in cgltf parsing (T1204.002); resulting crashes directly enable application DoS via vulnerability exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33666Shared CWE-190
CVE-2026-24173Shared CWE-190
CVE-2026-24210Shared CWE-190
CVE-2026-35092Shared CWE-190
CVE-2026-28952Shared CWE-190
CVE-2026-21347Shared CWE-190
CVE-2026-33662Shared CWE-190
CVE-2026-33019Shared CWE-190
CVE-2025-46597Shared CWE-190
CVE-2026-6773Shared CWE-190

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring identification, reporting, and correction of the integer overflow flaw in the cgltf library through timely patching to fixed versions.

prevent

Requires validation of glTF/GLB input files, including bounds checking on attacker-controlled size values in sparse accessors, to prevent integer overflows and out-of-bounds reads.

prevent

Implements memory safeguards like ASLR and DEP to mitigate heap buffer over-reads from the integer overflow, reducing potential memory disclosure and DoS impacts.

References