Patch
This is fixed with commit b953092, with the fix available in OpenUSD 25.11 and onwards.
Summary
We have been advised by Zero Day Initiative that our usage of the USD framework may constitute a Use-After-Free Remote Code Execution Vulnerability. They have sent us the attached file illustrating the issue. Indeed, we see a use after free exception when running the file through our importer with an address sanitizer.
zdi-23709-poc0.zip
Thanks in advance.
Patch
This is fixed with commit b953092, with the fix available in OpenUSD 25.11 and onwards.
Summary
We have been advised by Zero Day Initiative that our usage of the USD framework may constitute a Use-After-Free Remote Code Execution Vulnerability. They have sent us the attached file illustrating the issue. Indeed, we see a use after free exception when running the file through our importer with an address sanitizer.
zdi-23709-poc0.zip
Thanks in advance.