CVE-2024-55194
Published: 23 January 2025
Summary
CVE-2024-55194 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Openimageio Openimageio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 47.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-55194 is a heap overflow vulnerability affecting OpenImageIO version 3.1.0.0dev, specifically within the component located at /OpenImageIO/fmath.h. The issue corresponds to CWE-787 (Out-of-bounds Write) and CWE-120 (Buffer Copy without Checking Size of Input), earning a CVSS v3.1 base score of 9.8, indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
The vulnerability enables exploitation over a network by unauthenticated attackers with low complexity and no user interaction required, as per the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Successful exploitation could allow remote attackers to trigger the heap overflow, potentially leading to arbitrary code execution, data corruption, or denial of service by compromising the affected application's memory handling.
The vulnerability was reported in GitHub issue #4552 on the AcademySoftwareFoundation/OpenImageIO repository, with references pointing to this issue for further details on discovery and discussion. No specific patch or mitigation details are outlined in the provided CVE information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52748
Vulnerability details
OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component /OpenImageIO/fmath.h.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in OpenImageIO image processing (fmath.h during pixel stats computation) enables arbitrary code execution via crafted malicious images in vulnerable client applications.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the heap overflow vulnerability in OpenImageIO by identifying, testing, and applying patches or updates to affected versions.
Implements runtime memory protections such as ASLR, DEP, and heap hardening to prevent exploitation of the heap overflow for arbitrary code execution or corruption.
Requires validation of input sizes to image processing functions in fmath.h to prevent buffer copy without size checks leading to heap overflow.