Headline
GHSA-7qw8-3vmf-gj32: MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput
Summary
When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.
Details
In source/MaterialXCore/Material.cpp, the following code extracts the output nodes for a given implementation graph:
InterfaceElementPtr impl = materialNodeDef->getImplementation();
if (impl && impl->isA<NodeGraph>())
{
NodeGraphPtr implGraph = impl->asA<NodeGraph>();
for (OutputPtr defOutput : materialNodeDef->getOutputs())
{
if (defOutput->getType() == MATERIAL_TYPE_STRING)
{
OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName());
for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it)
{
ElementPtr upstreamElem = it.getUpstreamElement();
if (!upstreamElem)
{
it.setPruneSubgraph(true);
continue;
}
NodePtr upstreamNode = upstreamElem->asA<Node>();
if (upstreamNode && upstream
However, when defining the implGraphOutput variable by getting the output node, the code doesn’t check whether its value is null before accessing its iterator traverseGraph(). This leads to a potential null pointer dereference.
PoC
Please download nullptr_implgraph.mtlx from the following link:
https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011
build/bin/MaterialXView --material nullptr_implgraph.mtlx
Impact
An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.
Summary
When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.
Details
In source/MaterialXCore/Material.cpp, the following code extracts the output nodes for a given implementation graph:
InterfaceElementPtr impl = materialNodeDef->getImplementation(); if (impl && impl->isA<NodeGraph>()) { NodeGraphPtr implGraph = impl->asA<NodeGraph>(); for (OutputPtr defOutput : materialNodeDef->getOutputs()) { if (defOutput->getType() == MATERIAL_TYPE_STRING) { OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName()); for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it) { ElementPtr upstreamElem = it.getUpstreamElement(); if (!upstreamElem) { it.setPruneSubgraph(true); continue; } NodePtr upstreamNode = upstreamElem->asA<Node>(); if (upstreamNode && upstream
However, when defining the implGraphOutput variable by getting the output node, the code doesn’t check whether its value is null before accessing its iterator traverseGraph(). This leads to a potential null pointer dereference.
PoC
Please download nullptr_implgraph.mtlx from the following link:
https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011
build/bin/MaterialXView --material nullptr_implgraph.mtlx
Impact
An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.
References
- GHSA-7qw8-3vmf-gj32
- AcademySoftwareFoundation/MaterialX@7ac1c71
- https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011