CVE-2024-55194
Published: 23 January 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2024-55194 is a heap overflow vulnerability affecting OpenImageIO version 3.1.0.0dev, specifically within the component located at /OpenImageIO/fmath.h. The issue corresponds to CWE-787 (Out-of-bounds Write) and CWE-120 (Buffer Copy without Checking Size of Input), earning a CVSS v3.1 base score of 9.8, indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
The vulnerability enables exploitation over a network by unauthenticated attackers with low complexity and no user interaction required, as per the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Successful exploitation could allow remote attackers to trigger the heap overflow, potentially leading to arbitrary code execution, data corruption, or denial of service by compromising the affected application's memory handling.
The vulnerability was reported in GitHub issue #4552 on the AcademySoftwareFoundation/OpenImageIO repository, with references pointing to this issue for further details on discovery and discussion. No specific patch or mitigation details are outlined in the provided CVE information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Heap buffer overflow in OpenImageIO image processing (fmath.h during pixel stats computation) enables arbitrary code execution via crafted malicious images in vulnerable client applications.