Cyber Resilience

CVE-2024-55193

CriticalPublic PoC

Published: 23 January 2025

Published
23 January 2025
Modified
29 January 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 42.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55193 is a critical-severity NULL Pointer Dereference (CWE-476) vulnerability in Openimageio Openimageio. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-55193 is a segmentation violation vulnerability in OpenImageIO version 3.1.0.0dev, affecting the component /OpenImageIO/string_view.h. The issue, published on 2025-01-23, is associated with CWE-476 (NULL Pointer Dereference) and NVD-CWE-Other, and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service through system crashes or potential code execution.

Mitigation details are available in the GitHub issue at https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4551.

EU & UK References

Vulnerability details

OpenImageIO v3.1.0.0dev was discovered to contain a segmentation violation via the component /OpenImageIO/string_view.h.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The segmentation fault in OpenImageIO's string_view during JPEG ICC profile processing is triggered by a crafted image (PoC provided), enabling endpoint denial of service through application exploitation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

CVEs Like This One

CVE-2026-43908Same product: Openimageio Openimageio
CVE-2024-55194Same product: Openimageio Openimageio
CVE-2026-43909Same product: Openimageio Openimageio
CVE-2026-43907Same product: Openimageio Openimageio
CVE-2024-55192Same product: Openimageio Openimageio
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476

Affected Assets

openimageio
openimageio
3.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of known software flaws like the null pointer dereference causing segmentation violation in OpenImageIO's string_view.h.

detect

Mandates vulnerability scanning and monitoring to identify systems affected by CVE-2024-55193.

prevent

Provides runtime memory protections that mitigate exploitation of the null pointer dereference leading to crashes or potential code execution.

References