Headline
GHSA-3jhf-gxhr-q4cx: MaterialX Null Pointer Dereference in getShaderNodes due to Unchecked nodeGraph->getOutput return
Summary
When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.
Details
In src/MaterialXCore/Material.cpp, in function getShaderNodes, the following code fetches the output nodes for a given nodegraph input node:
// SNIP...
else if (input->hasNodeGraphString())
{
// Check upstream nodegraph connected to the input.
// If no explicit output name given then scan all outputs on the nodegraph.
ElementPtr parent = materialNode->getParent();
NodeGraphPtr nodeGraph = parent->getChildOfType<NodeGraph>(input->getNodeGraphString());
if (!nodeGraph)
{
continue;
}
vector<OutputPtr> outputs;
if (input->hasOutputString())
{
outputs.push_back(nodeGraph->getOutput(input->getOutputString())); // <--- null ptr is returned
}
else
{
outputs = nodeGraph->getOutputs();
}
for (OutputPtr output : outputs)
{
NodePtr upstreamNode = output->getConnectedNode(); // <--- CRASHES HERE
if (upstreamNode && !shaderNodeSet.count(upstreamNode))
{
if (!target.empty() && !upstreamNode->getNodeDef(target))
{
continue;
}
shaderNodeVec.push_back(upstreamNode);
shaderNodeSet.insert(upstreamNode);
}
}
}
}
// SNIP...
The issues arise because the nodeGraph->getOutput(input->getOutputString()) call can return a null pointer, therefore when trying to call output->getConnectedNode(), this results in a crash .
PoC
Please download nullptr_getshadernodes.mltx from the following link:
https://github.com/ShielderSec/poc/tree/main/CVE-2025-53010
build/bin/MaterialXView --material nullptr_getshadernodes.mtlx
Impact
An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file.
Summary
When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.
Details
In src/MaterialXCore/Material.cpp, in function getShaderNodes, the following code fetches the output nodes for a given nodegraph input node:
// SNIP… else if (input->hasNodeGraphString()) { // Check upstream nodegraph connected to the input. // If no explicit output name given then scan all outputs on the nodegraph. ElementPtr parent = materialNode->getParent(); NodeGraphPtr nodeGraph = parent->getChildOfType<NodeGraph>(input->getNodeGraphString()); if (!nodeGraph) { continue; } vector<OutputPtr> outputs; if (input->hasOutputString()) { outputs.push_back(nodeGraph->getOutput(input->getOutputString())); // <— null ptr is returned } else { outputs = nodeGraph->getOutputs(); } for (OutputPtr output : outputs) { NodePtr upstreamNode = output->getConnectedNode(); // <— CRASHES HERE if (upstreamNode && !shaderNodeSet.count(upstreamNode)) { if (!target.empty() && !upstreamNode->getNodeDef(target)) { continue; } shaderNodeVec.push_back(upstreamNode); shaderNodeSet.insert(upstreamNode); } } } } // SNIP…
The issues arise because the nodeGraph->getOutput(input->getOutputString()) call can return a null pointer, therefore when trying to call output->getConnectedNode(), this results in a crash .
PoC
Please download nullptr_getshadernodes.mltx from the following link:
https://github.com/ShielderSec/poc/tree/main/CVE-2025-53010
build/bin/MaterialXView --material nullptr_getshadernodes.mtlx
Impact
An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file.
References
- GHSA-3jhf-gxhr-q4cx
- AcademySoftwareFoundation/MaterialX@e13344b
- https://github.com/ShielderSec/poc/tree/main/CVE-2025-53010