CVE-2024-3207
Published: 02 April 2024
Summary
CVE-2024-3207 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Ermig1979 Simd. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 43.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Computer Vision; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31799
Vulnerability details
A vulnerability was found in ermig1979 Simd up to 6.0.134. It has been declared as critical. This vulnerability affects the function ReadUnsigned of the file src/Simd/SimdMemoryStream.h. The manipulation leads to heap-based buffer overflow. The exploit has been disclosed to the…
more
public and may be used. VDB-259054 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Computer Vision
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Simd (ermig1979/Simd) is a C++ library specializing in SIMD-optimized image processing and computer vision operations (e.g., filters, transformations, neural network primitives like convolutions), directly aligning with the Computer Vision category.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in Simd library's ReadUnsigned function enables remote unauthenticated arbitrary code execution via crafted input, facilitating T1203 (client-side exploitation) and T1210 (remote service exploitation depending on application deployment).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.