CVE-2026-42477
Published: 01 May 2026
Summary
CVE-2026-42477 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Opencascade Open Cascade Technology. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-42477 is a heap-based out-of-bounds read vulnerability in the RWObj_Reader::read function of the OBJ file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5. The issue stems from Standard_ReadLineBuffer::ReadLine() returning a 1-byte buffer for a minimal OBJ line, after which RWObj_Reader::read() invokes pushIndices(aLine + 2) without validating the buffer length. This flaw, classified under CWE-125, was published on 2026-05-01.
User-assisted attackers can exploit this vulnerability by persuading victims to open a crafted OBJ file, requiring local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R). Successful exploitation can lead to denial of service (A:H) or disclosure of sensitive information (C:H), with no integrity impact (I:N) and no scope change (S:U), earning a CVSS v3.1 base score of 7.1.
Mitigation details are available in the referenced advisory at https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26600
Vulnerability details
A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in the OBJ file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows user-assisted attackers to cause a denial of service or obtain sensitive information by persuading a victim to open a crafted OBJ…
more
file. The issue occurs because Standard_ReadLineBuffer::ReadLine() can return a 1-byte buffer for a minimal OBJ line, and RWObj_Reader::read() calls pushIndices(aLine + 2) without validating the buffer length.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is triggered by a user opening a crafted malicious OBJ file in an application using the OCCT library, directly enabling exploitation via T1204.002 Malicious File under User Execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of OBJ file line buffers before accessing offsets like aLine + 2 to prevent heap-based out-of-bounds reads.
Ensures timely patching of the specific buffer length validation flaw in OCCT's RWObj_Reader OBJ parser.
Limits sensitive information disclosure by requiring error handling that avoids revealing internal state during out-of-bounds read failures.