CVE-2024-55192
Published: 23 January 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2024-55192 is a heap overflow vulnerability in OpenImageIO version 3.1.0.0dev. The flaw occurs in the component OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*), aligning with CWE-787 (Out-of-bounds Write) and CWE-122 (Heap-based Buffer Overflow). Published on 2025-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical severity.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service, potentially allowing arbitrary code execution via the heap overflow.
Mitigation details are available in the referenced GitHub issue at https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4550.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Computer Vision
- Risk Domain
- Not Applicable
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- OpenImageIO is an image processing library used for reading, writing, and manipulating images, commonly in computer vision pipelines and AI/ML workflows for handling image data.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Heap buffer overflow in OpenImageIO library (used by tools like iconvert and oiiotool) triggered by malicious image files enables arbitrary code execution via client-side application exploitation.