MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput

Description

Summary

When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.

Details

In source/MaterialXCore/Material.cpp, the following code extracts the output nodes for a given implementation graph:

   InterfaceElementPtr impl = materialNodeDef->getImplementation();
            if (impl && impl->isA<NodeGraph>())
            {
                NodeGraphPtr implGraph = impl->asA<NodeGraph>();
                for (OutputPtr defOutput : materialNodeDef->getOutputs())
                {
                    if (defOutput->getType() == MATERIAL_TYPE_STRING)
                    {
                        OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName());
                        for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it)
                        {
                            ElementPtr upstreamElem = it.getUpstreamElement();
                            if (!upstreamElem)
                            {
                                it.setPruneSubgraph(true);
                                continue;
                            }
                            NodePtr upstreamNode = upstreamElem->asA<Node>();
                            if (upstreamNode && upstream

However, when defining the implGraphOutput variable by getting the output node, the code doesn't check whether its value is null before accessing its iterator traverseGraph(). This leads to a potential null pointer dereference.

PoC

Please download nullptr_implgraph.mtlx from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011

build/bin/MaterialXView --material nullptr_implgraph.mtlx

Impact

An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-07-31 18:31:23 UTC
Updated
2025-08-01 18:36:12 UTC
GitHub reviewed
2025-07-31 18:31:23 UTC
NVD published
2025-08-01

EPSS Score

Score Percentile
0.11% 29.58%

CVSS Scores

Base score Version Severity Vector
2.0 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P Click to expand
Attack vector (AV:L)
Attacker needs local access on the target system.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:L)
Limited availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.

Identifiers

CWEs

CWE id Name
CWE-476 NULL Pointer Dereference

Credits

  • suidpit (reporter)
  • TheZ3ro (reporter)
  • ndaprela (reporter)
  • smaury (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip MaterialX = 1.39.2 1.39.3

References

cvelogic Threat Intelligence