CVE-2025-53012— MaterialX's Lack of Import Depth Limit Leads to DoS (Denial-Of-Service) Via Stack Exhaustion
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-53012
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MaterialX's Lack of Import Depth Limit Leads to DoS (Denial-Of-Service) Via Stack Exhaustion
Source: NVD (National Vulnerability Database)
Vulnerability Description
MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" depth. When parsing file imports, recursion is used to process nested files; however, there is no limit imposed to the depth of files that can be parsed by the library. By building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion. This is fixed in version 1.39.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
MaterialX 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MaterialX是Academy Software Foundation开源的一个材料渲染软件。 MaterialX 1.39.2版本存在资源管理错误漏洞,该漏洞源于嵌套导入文件时缺乏深度限制,可能导致栈内存耗尽。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| AcademySoftwareFoundation | MaterialX | >= 1.39.2, < 1.39.3 | - |
II. Public POCs for CVE-2025-53012
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-53012
请登录查看更多情报信息。
Same Patch Batch · AcademySoftwareFoundation · 2025-08-01 · 5 CVEs total
| CVE-2025-48074 | OpenEXR's Unbounded File Header Values can Lead to Out-Of-Memory Errors | |
| CVE-2025-53010 | MaterialX's unchecked nodeGraph->getOutput return is vulnerable to NULL Pointer Dereferenc | |
| CVE-2025-53009 | MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit | |
| CVE-2025-53011 | MaterialX is Vulnerable to NULL Pointer Dereference due to Unchecked implGraphOutput |
IV. Related Vulnerabilities
Same vendor: AcademySoftwareFoundation
- CVE-2026-42217
OpenEXR: Shift exponent overflow in `readVariableLengthInteg - CVE-2026-42216
OpenEXR: Out-of-bounds read in `IDManifest::init()` during p - CVE-2026-41142
OpenEXR is Vulnerable to Integer overflow in ImageChannel::r - CVE-2026-7582
AcademySoftwareFoundation OpenImageIO DDS Image ddsinput.cpp - CVE-2026-40250
OpenEXR has integer overflow in DWA decoder outBufferEnd poi
Same weakness: CWE-400
- CVE-2026-8187
Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption - CVE-2026-42343
FastGPT: Uncontrolled Resource Consumption leading to Sandbo - CVE-2026-42212
SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-lau - CVE-2026-32686
Unbounded exponent in decimal enables unauthenticated DoS - CVE-2026-20188
Cisco Crosswork Network Controller and Cisco Network Service
V. Comments for CVE-2025-53012
No comments yet