CVE-2025-53012

MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" depth. When parsing file imports, recursion is used to process nested files; however, there is no limit imposed to the depth of files that can be parsed by the library. By building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion. This is fixed in version 1.39.3.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/AcademySoftwareFoundation/MaterialX/blob/main/documents/Specification/MaterialX.Specification.md#mtlx-file-format-definition	Product
https://github.com/AcademySoftwareFoundation/MaterialX/pull/2233/commits/6182c07467297416a30d148ab531d81198686dc5	Patch
https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3	Release Notes
https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-qc2h-74x3-4v3w	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:materialx:1.39.2:-:*:*:*:*:*:*

History

20 Aug 2025, 21:24

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Linuxfoundation Linuxfoundation materialx
CPE		cpe:2.3:a:linuxfoundation:materialx:1.39.2:-::::::
References	~~() https://github.com/AcademySoftwareFoundation/MaterialX/blob/main/documents/Specification/MaterialX.Specification.md#mtlx-file-format-definition -~~	() https://github.com/AcademySoftwareFoundation/MaterialX/blob/main/documents/Specification/MaterialX.Specification.md#mtlx-file-format-definition - Product
References	~~() https://github.com/AcademySoftwareFoundation/MaterialX/pull/2233/commits/6182c07467297416a30d148ab531d81198686dc5 -~~	() https://github.com/AcademySoftwareFoundation/MaterialX/pull/2233/commits/6182c07467297416a30d148ab531d81198686dc5 - Patch
References	~~() https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3 -~~	() https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3 - Release Notes
References	~~() https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-qc2h-74x3-4v3w -~~	() https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-qc2h-74x3-4v3w - Exploit, Vendor Advisory

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) MaterialX es un estándar abierto para el intercambio de contenido de desarrollo visual y de materiales enriquecidos entre aplicaciones y renderizadores. En la versión 1.39.2, las importaciones anidadas de archivos MaterialX pueden provocar un fallo por agotamiento de la memoria de la pila, debido a la falta de un límite en la profundidad de la cadena de importación. Al analizar las importaciones de archivos, se utiliza la recursión para procesar los archivos anidados; sin embargo, no hay límite en la profundidad de los archivos que la libería puede analizar. Al crear una cadena suficientemente profunda de archivos MaterialX que referencian entre sí, es posible que el proceso que utiliza la libería MaterialX se bloquee por agotamiento de la pila. Esto se solucionó en la versión 1.39.3.

01 Aug 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-01 18:15

Updated : 2025-08-20 21:24

NVD link : CVE-2025-53012

Mitre link : CVE-2025-53012

CVE.ORG link : CVE-2025-53012

JSON object : View

Products Affected

linuxfoundation

materialx

CWE

CWE-400

Uncontrolled Resource Consumption

7.5 /10