CVE-2020-13524 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Openusd

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787 — Out-of-bounds Write6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.4%

top 38.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple MAC OS X Apple Macos Pixar Openusd

Timeline

PublishedDec 3

Latest updateMay 24

Description

An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 uses SPECS data from binary USD files. A specially crafted malformed file can trigger an out-of-bounds memory access and modification which results in memory corruption. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDpixar/openusd20.05

▶NVDapple/macos11.0 — 11.1

▶NVDapple/mac_os_x10.14.0 — 10.14.6+3

🔴Vulnerability Details

GHSA

GHSA-8f9r-9957-fj34: An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20↗2022-05-24

▶

CVEList

CVE-2020-13524: An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20↗2020-12-03

▶

📋Vendor Advisories

Apple

CVE-2020-13524: iOS 14.2 and iPadOS 14.2↗2020-11-05

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Multiple vulnerabilities in Pixar OpenUSD affects some versions of macOS↗2020-11-12

▶

Talos

Vulnerability Spotlight: Multiple vulnerabilities in Pixar OpenUSD affects some versions of macOS↗2020-11-12

▶