GHSA-grjp-54v3-c442: OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability

October 29, 2025

We have been advised by Zero Day Initiative that our usage of the USD framework may constitute a Use-After-Free Remote Code Execution Vulnerability. They have sent us the attached file illustrating the issue. Indeed, we see a use after free exception when running the file through our importer with an address sanitizer.

zdi-23709-poc0.zip

Thanks in advance.

References

github.com/PixarAnimationStudios/OpenUSD
github.com/PixarAnimationStudios/OpenUSD/commit/b9530922b6a8ea72cd43661226b693fff8abbe4c
github.com/PixarAnimationStudios/OpenUSD/security/advisories/GHSA-grjp-54v3-c442
github.com/advisories/GHSA-grjp-54v3-c442

Code Behaviors & Features

Detect and mitigate GHSA-grjp-54v3-c442 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →