CVE-2024-55192
Published: 23 January 2025
Summary
CVE-2024-55192 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Openimageio Openimageio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 46.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-55192 is a heap overflow vulnerability in OpenImageIO version 3.1.0.0dev. The flaw occurs in the component OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*), aligning with CWE-787 (Out-of-bounds Write) and CWE-122 (Heap-based Buffer Overflow). Published on 2025-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical severity.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service, potentially allowing arbitrary code execution via the heap overflow.
Mitigation details are available in the referenced GitHub issue at https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4550.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52746
Vulnerability details
OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in OpenImageIO library (used by tools like iconvert and oiiotool) triggered by malicious image files enables arbitrary code execution via client-side application exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and remediation of software flaws like this heap overflow vulnerability in OpenImageIO.
Implements memory protections such as non-executable heap regions and randomization to block exploitation of heap overflows for code execution or data corruption.
Requires validation of image inputs to OpenImageIO to prevent malformed data from triggering the Fetch64 heap overflow.