CVE-2025-57108

EUVD-2025-37360
Kitware VTK (Visualization Toolkit) through 9.5.0 contains a heap use-after-free vulnerability in vtkGLTFDocumentLoader. The vulnerability manifests during mesh object copy operations where vector members are accessed after the underlying memory has been freed, specifically when handling GLTF files with corrupted or invalid mesh reference structures.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
vtkvtk
𝑥
≤ 9.5.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
vtk9
bookworm
no-dsa
bullseye
postponed
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
vtk
jammy
dne
noble
dne
plucky
dne
questing
dne
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://gitlab.kitware.com/vtk/vtk/-/issues/19736