CVE-2025-57107

EUVD-2025-37361
Kitware VTK (Visualization Toolkit) through 9.5.0 contains a heap buffer overflow vulnerability in vtkGLTFDocumentLoader. When processing specially crafted GLTF files, the copy constructor of Accessor objects fails to properly validate buffer boundaries before performing memory read operations.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CISA-ADPADP
7.1 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
vtkvtk
𝑥
≤ 9.5.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
vtk9
bookworm
no-dsa
bullseye
postponed
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
vtk
jammy
dne
noble
dne
plucky
dne
questing
dne
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://gitlab.kitware.com/vtk/vtk/-/issues/19732