CVE-2026-32845
Published: 23 March 2026
Summary
CVE-2026-32845 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32845, published on 2026-03-23, is an integer overflow vulnerability (CWE-190) affecting cgltf versions 1.15 and prior. The issue resides in the cgltf_validate() function during validation of sparse accessors, where unchecked arithmetic operations on attacker-controlled size values from crafted glTF/GLB input files trigger out-of-bounds reads. This leads to heap buffer over-reads in the cgltf_calc_index_bound() function. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker, requiring no privileges or user interaction, can exploit this vulnerability by supplying malicious glTF/GLB files to applications or services that parse them using the affected cgltf library. Successful exploitation causes heap buffer over-reads, resulting in denial-of-service crashes or potential disclosure of sensitive memory contents.
Mitigation details are available in advisories including the GitHub issue at https://github.com/jkuhlmann/cgltf/issues/287 and the VulnCheck advisory at https://www.vulncheck.com/advisories/jkuhlmann-cgltf-sparse-accessor-validation-integer-overflow.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14448
Vulnerability details
cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit unchecked arithmetic…
more
operations in sparse accessor validation to cause heap buffer over-reads in cgltf_calc_index_bound(), resulting in denial of service crashes and potential memory disclosure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted glTF/GLB files trigger the integer overflow and heap over-read in cgltf parsing (T1204.002); resulting crashes directly enable application DoS via vulnerability exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the vulnerability by requiring identification, reporting, and correction of the integer overflow flaw in the cgltf library through timely patching to fixed versions.
Requires validation of glTF/GLB input files, including bounds checking on attacker-controlled size values in sparse accessors, to prevent integer overflows and out-of-bounds reads.
Implements memory safeguards like ASLR and DEP to mitigate heap buffer over-reads from the integer overflow, reducing potential memory disclosure and DoS impacts.