CVE-2025-15538
Public on 2026-01-18
Modified on 2026-05-14
Description
A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128.
Amazon Linux will not provide fixes for: CVE-2024-48426, CVE-2025-2752, CVE-2025-15538, CVE-2025-6119, CVE-2025-11275, CVE-2025-11274. These issues can only be triggered when processing specially crafted 3D model files from untrusted sources. The vulnerabilities are rated low to moderate severity and fixing them carries a high risk of regressions in 3D rendering functionality. Customers are advised to only use 3D asset files from trusted sources. No fix is planned for Amazon Linux at this time.
Amazon Linux will not provide fixes for: CVE-2024-48426, CVE-2025-2752, CVE-2025-15538, CVE-2025-6119, CVE-2025-11275, CVE-2025-11274. These issues can only be triggered when processing specially crafted 3D model files from untrusted sources. The vulnerabilities are rated low to moderate severity and fixing them carries a high risk of regressions in 3D rendering functionality. Customers are advised to only use 3D asset files from trusted sources. No fix is planned for Amazon Linux at this time.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | qt5-qt3d | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| NVD | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |