GHSA-grjp-54v3-c442

Опубликовано: 29 окт. 2025

Источник: github

Github: Прошло ревью

CVSS4: 6.9

Описание

OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability

Patch

This is fixed with commit b953092, with the fix available in OpenUSD 25.11 and onwards.

Summary

We have been advised by Zero Day Initiative that our usage of the USD framework may constitute a Use-After-Free Remote Code Execution Vulnerability. They have sent us the attached file illustrating the issue. Indeed, we see a use after free exception when running the file through our importer with an address sanitizer.

zdi-23709-poc0.zip

Thanks in advance.

Ссылки

https://github.com/PixarAnimationStudios/OpenUSD/security/advisories/GHSA-grjp-54v3-c442
https://github.com/PixarAnimationStudios/OpenUSD/commit/b9530922b6a8ea72cd43661226b693fff8abbe4c

Пакеты

Наименование

usd-core

pip

Затронутые версииВерсия исправления

<= 25.08

25.11

6.9 Medium

CVSS4

Дефекты

CWE-416

6.9 Medium

CVSS4

Дефекты

CWE-416