{ "affected": [ { "ranges": [ { "events": [ { "introduced": "c27914b8d0ed042948ee40526458f2673f5284fa" }, { "fixed": "3b79bd735036dc96942836a9d076b6af3bd8fbdf" } ], "repo": "https://github.com/academysoftwarefoundation/materialx", "type": "GIT" } ] } ], "aliases": [ "GHSA-7qw8-3vmf-gj32" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-476" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53011.json" }, "details": "MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file. This is fixed in version 1.39.3.", "id": "CVE-2025-53011", "modified": "2026-04-01T23:10:06.170687528Z", "published": "2025-08-01T17:58:47.388Z", "references": [ { "type": "WEB", "url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3" }, { "type": "WEB", "url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011" }, { "type": "ADVISORY", "url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-7qw8-3vmf-gj32" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53011.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53011" }, { "type": "FIX", "url": "https://github.com/AcademySoftwareFoundation/MaterialX/commit/7ac1c71de5187dc29793292b5a8dc6d784192ecf" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "type": "CVSS_V4" } ], "summary": "MaterialX is Vulnerable to NULL Pointer Dereference due to Unchecked implGraphOutput" }