CVE-2026-42481

EUVD-2026-26678

01.05.2026, 16:16

Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vulnerabilities in its IGES and STEP file parsers that can be triggered by crafted IGES or STEP files. These issues include an out-of-bounds read in Geom2d_BSplineCurve::EvalD0 during IGES B-spline curve evaluation, an out-of-bounds read in MakeBSplineCurveCommon during STEP B-spline curve construction, and infinite recursion in StepShape_OrientedEdge::EdgeStart when processing a self-referential OrientedEdge entity. Successful exploitation may result in denial of service or unintended memory disclosure.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
opencascade	open_cascade_technology	𝑥 ≤ 7.9.3
opencascade	open_cascade_technology	8.0.0:beta1
opencascade	open_cascade_technology	8.0.0:rc1
opencascade	open_cascade_technology	8.0.0:rc2
opencascade	open_cascade_technology	8.0.0:rc3
opencascade	open_cascade_technology	8.0.0:rc4
opencascade	open_cascade_technology	8.0.0:rc5

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a