Cyber Resilience

CVE-2024-55192

CriticalPublic PoC

Published: 23 January 2025

Published
23 January 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 46.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55192 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Openimageio Openimageio. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 46.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-55192 is a heap overflow vulnerability in OpenImageIO version 3.1.0.0dev. The flaw occurs in the component OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*), aligning with CWE-787 (Out-of-bounds Write) and CWE-122 (Heap-based Buffer Overflow). Published on 2025-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical severity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service, potentially allowing arbitrary code execution via the heap overflow.

Mitigation details are available in the referenced GitHub issue at https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4550.

EU & UK References

Vulnerability details

OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in OpenImageIO library (used by tools like iconvert and oiiotool) triggered by malicious image files enables arbitrary code execution via client-side application exploitation.

CVEs Like This One

CVE-2024-55194Same product: Openimageio Openimageio
CVE-2026-43909Same product: Openimageio Openimageio
CVE-2026-43908Same product: Openimageio Openimageio
CVE-2026-43907Same product: Openimageio Openimageio
CVE-2024-55193Same product: Openimageio Openimageio
CVE-2026-5403Shared CWE-122, CWE-787
CVE-2026-5405Shared CWE-122, CWE-787
CVE-2026-42483Shared CWE-122, CWE-787
CVE-2025-27091Shared CWE-122, CWE-787
CVE-2026-42046Shared CWE-122, CWE-787

Affected Assets

openimageio
openimageio
3.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and remediation of software flaws like this heap overflow vulnerability in OpenImageIO.

prevent

Implements memory protections such as non-executable heap regions and randomization to block exploitation of heap overflows for code execution or data corruption.

prevent

Requires validation of image inputs to OpenImageIO to prevent malformed data from triggering the Fetch64 heap overflow.

References