CVE-2024-55193

CriticalPublic PoC

Published: 23 January 2025

Published

23 January 2025

Modified

29 January 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 42.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

Security Summary

CVE-2024-55193 is a segmentation violation vulnerability in OpenImageIO version 3.1.0.0dev, affecting the component /OpenImageIO/string_view.h. The issue, published on 2025-01-23, is associated with CWE-476 (NULL Pointer Dereference) and NVD-CWE-Other, and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service through system crashes or potential code execution.

Mitigation details are available in the GitHub issue at https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4551.

Details

CWE(s): NVD-CWE-OtherCWE-476

Affected Products

openimageio

3.1.0.0

MITRE ATT&CK Enterprise Techniques

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The segmentation fault in OpenImageIO's string_view during JPEG ICC profile processing is triggered by a crafted image (PoC provided), enabling endpoint denial of service through application exploitation.

References

https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4551
Exploit, Third Party Advisory · cve@mitre.org