CVE-2024-55193
Published: 23 January 2025
Summary
CVE-2024-55193 is a critical-severity NULL Pointer Dereference (CWE-476) vulnerability in Openimageio Openimageio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-55193 is a segmentation violation vulnerability in OpenImageIO version 3.1.0.0dev, affecting the component /OpenImageIO/string_view.h. The issue, published on 2025-01-23, is associated with CWE-476 (NULL Pointer Dereference) and NVD-CWE-Other, and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service through system crashes or potential code execution.
Mitigation details are available in the GitHub issue at https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4551.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52747
Vulnerability details
OpenImageIO v3.1.0.0dev was discovered to contain a segmentation violation via the component /OpenImageIO/string_view.h.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The segmentation fault in OpenImageIO's string_view during JPEG ICC profile processing is triggered by a crafted image (PoC provided), enabling endpoint denial of service through application exploitation.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of known software flaws like the null pointer dereference causing segmentation violation in OpenImageIO's string_view.h.
Mandates vulnerability scanning and monitoring to identify systems affected by CVE-2024-55193.
Provides runtime memory protections that mitigate exploitation of the null pointer dereference leading to crashes or potential code execution.