OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability

Patch

This is fixed with commit b953092, with the fix available in OpenUSD 25.11 and onwards.

Summary

We have been advised by Zero Day Initiative that our usage of the USD framework may constitute a Use-After-Free Remote Code Execution Vulnerability. They have sent us the attached file illustrating the issue. Indeed, we see a use after free exception when running the file through our importer with an address sanitizer.

zdi-23709-poc0.zip

Thanks in advance.

Published: Oct 29, 2025
Updated: Oct 30, 2025
GHSA: GHSA-grjp-54v3-c442
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-416

Affected Software
References

Software	From	Fixed in
usd-core	-	25.11

https://github.com/PixarAnimationStudios/OpenUSD/commit/b9530922b6a8ea72cd43661226b693fff8abbe4c
https://github.com/PixarAnimationStudios/OpenUSD/security/advisories/GHSA-grjp-54v3-c442

Vulnerability Database

OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability

Patch

Summary

Deep Security Visibility Without the Complexity