CVE-2026-32845HIGH 8.4EPSS p2.5%

CVE-2026-32845CVE-2026-32845

Description

cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit unchecked arithmetic operations in sparse accessor validation to cause heap buffer over-reads in cgltf_calc_index_bound(), resulting in denial of service crashes and potential memory disclosure.

Scoring

CVSS 3.18.4 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.13% probability of exploitation · percentile 2.5% · 2026-06-19T12:03:05Z
Published2026-03-23
Last modified2026-05-01

Underlying weaknesses· 1

CWE-190

References

  1. https://github.com/jkuhlmann/cgltf/issues/287
  2. https://www.vulncheck.com/advisories/jkuhlmann-cgltf-sparse-accessor-validation-integer-overflow
  3. https://github.com/jkuhlmann/cgltf/issues/287

1

TypeTargetConfidenceTier
WeaknessInteger Overflow or Wraparoundcwe-1900%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-4675
CVE
CVE-2026-2315
CVE
CVE-2026-42480
CVE
CVE-2026-11085
CVE
CVE-2026-3536
CVE
CVE-2026-11015
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.