{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/memory-disclosure/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["integer-overflow","denial-of-service","memory-disclosure","glTF","cgltf"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ecgltf is a minimalist C library for loading glTF 2.0 files. Versions 1.15 and earlier are vulnerable to an integer overflow in the \u003ccode\u003ecgltf_validate()\u003c/code\u003e function. This vulnerability occurs during the validation of sparse accessors within glTF/GLB files. An attacker can exploit this by crafting malicious glTF/GLB files with specifically chosen size values that trigger integer overflows in arithmetic operations during sparse accessor validation. Successful exploitation leads to out-of-bounds reads due to heap buffer over-reads in \u003ccode\u003ecgltf_calc_index_bound()\u003c/code\u003e. This results in a denial-of-service condition (application crash) and potentially leads to memory disclosure. Defenders should monitor applications parsing glTF/GLB files for unexpected crashes or abnormal memory access patterns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious glTF or GLB file.\u003c/li\u003e\n\u003cli\u003eThe crafted file contains a sparse accessor with attacker-controlled size values designed to cause an integer overflow.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application uses the cgltf library to parse the malicious glTF/GLB file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecgltf_validate()\u003c/code\u003e function is called to validate the glTF data, including the sparse accessor.\u003c/li\u003e\n\u003cli\u003eDuring sparse accessor validation, unchecked arithmetic operations occur with the attacker-controlled size values, resulting in an integer overflow.\u003c/li\u003e\n\u003cli\u003eThe integer overflow leads to an incorrect calculation of the index bound in the \u003ccode\u003ecgltf_calc_index_bound()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecgltf_calc_index_bound()\u003c/code\u003e attempts to access a heap buffer using the incorrect index bound.\u003c/li\u003e\n\u003cli\u003eThis results in an out-of-bounds read, causing a denial of service (application crash) or potentially exposing sensitive memory contents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, as the application parsing the malicious glTF/GLB file crashes. Furthermore, the out-of-bounds read could potentially expose sensitive information from the application\u0026rsquo;s memory. The number of potential victims depends on the prevalence of applications using the vulnerable cgltf library to process potentially untrusted glTF/GLB files. Sectors affected could include any application that handles 3D models or scenes using the glTF format, such as game development, CAD software, and visualization tools.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the cgltf library that addresses CVE-2026-32845.\u003c/li\u003e\n\u003cli\u003eImplement input validation on glTF/GLB files before parsing them with cgltf to prevent malicious size values from reaching the vulnerable \u003ccode\u003ecgltf_validate()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect glTF Parsing Process Crash\u0026rdquo; to identify processes crashing while parsing glTF/GLB files, which can indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process crash reporting to collect detailed information about crashes, including memory dumps, which can aid in identifying the root cause and potential memory disclosure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T16:16:48Z","date_published":"2026-03-23T16:16:48Z","id":"/briefs/2026-03-cgltf-overflow/","summary":"cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors, allowing attackers to trigger out-of-bounds reads via crafted glTF/GLB files, leading to denial of service and potential memory disclosure.","title":"cgltf Integer Overflow Vulnerability in Sparse Accessor Validation","url":"https://feed.craftedsignal.io/briefs/2026-03-cgltf-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Memory-Disclosure","version":"https://jsonfeed.org/version/1.1"}