logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-53011 materialx

Package

Manager: pip
Name: materialx
Vulnerable Version: =1.39.2 || >=1.39.2 <1.39.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

EPSS: 0.0004 pctl0.11175

Details

MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput ### Summary When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. ### Details In `source/MaterialXCore/Material.cpp`, the following code extracts the output nodes for a given implementation graph: ```cpp InterfaceElementPtr impl = materialNodeDef->getImplementation(); if (impl && impl->isA<NodeGraph>()) { NodeGraphPtr implGraph = impl->asA<NodeGraph>(); for (OutputPtr defOutput : materialNodeDef->getOutputs()) { if (defOutput->getType() == MATERIAL_TYPE_STRING) { OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName()); for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it) { ElementPtr upstreamElem = it.getUpstreamElement(); if (!upstreamElem) { it.setPruneSubgraph(true); continue; } NodePtr upstreamNode = upstreamElem->asA<Node>(); if (upstreamNode && upstream ``` However, when defining the `implGraphOutput` variable by getting the output node, the code doesn't check whether its value is null before accessing its iterator `traverseGraph()`. This leads to a potential null pointer dereference. ### PoC Please download `nullptr_implgraph.mtlx` from the following link: https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011 `build/bin/MaterialXView --material nullptr_implgraph.mtlx` ### Impact An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.

Metadata

Created: 2025-07-31T18:31:23Z
Modified: 2025-08-01T18:36:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7qw8-3vmf-gj32/GHSA-7qw8-3vmf-gj32.json
CWE IDs: ["CWE-476"]
Alternative ID: GHSA-7qw8-3vmf-gj32
Finding: F002
Auto approve: 1