Описание
MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput
Summary
When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.
Details
In source/MaterialXCore/Material.cpp, the following code extracts the output nodes for a given implementation graph:
However, when defining the implGraphOutput variable by getting the output node, the code doesn't check whether its value is null before accessing its iterator traverseGraph(). This leads to a potential null pointer dereference.
PoC
Please download nullptr_implgraph.mtlx from the following link:
https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011
build/bin/MaterialXView --material nullptr_implgraph.mtlx
Impact
An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.
Ссылки
- https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-7qw8-3vmf-gj32
- https://nvd.nist.gov/vuln/detail/CVE-2025-53011
- https://github.com/AcademySoftwareFoundation/MaterialX/commit/7ac1c71de5187dc29793292b5a8dc6d784192ecf
- https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3
- https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011
Пакеты
MaterialX
= 1.39.2
1.39.3
Связанные уязвимости
MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file. This is fixed in version 1.39.3.