Cyber Resilience

CVE-2024-55194

CriticalPublic PoC

Published: 23 January 2025

Published
23 January 2025
Modified
29 January 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55194 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Openimageio Openimageio. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 47.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-55194 is a heap overflow vulnerability affecting OpenImageIO version 3.1.0.0dev, specifically within the component located at /OpenImageIO/fmath.h. The issue corresponds to CWE-787 (Out-of-bounds Write) and CWE-120 (Buffer Copy without Checking Size of Input), earning a CVSS v3.1 base score of 9.8, indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

The vulnerability enables exploitation over a network by unauthenticated attackers with low complexity and no user interaction required, as per the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Successful exploitation could allow remote attackers to trigger the heap overflow, potentially leading to arbitrary code execution, data corruption, or denial of service by compromising the affected application's memory handling.

The vulnerability was reported in GitHub issue #4552 on the AcademySoftwareFoundation/OpenImageIO repository, with references pointing to this issue for further details on discovery and discussion. No specific patch or mitigation details are outlined in the provided CVE information.

EU & UK References

Vulnerability details

OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via the component /OpenImageIO/fmath.h.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in OpenImageIO image processing (fmath.h during pixel stats computation) enables arbitrary code execution via crafted malicious images in vulnerable client applications.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

CVEs Like This One

CVE-2026-43909Same product: Openimageio Openimageio
CVE-2024-55192Same product: Openimageio Openimageio
CVE-2026-43908Same product: Openimageio Openimageio
CVE-2026-43907Same product: Openimageio Openimageio
CVE-2024-55193Same product: Openimageio Openimageio
CVE-2025-8854Shared CWE-120, CWE-787
CVE-2026-5734Shared CWE-120, CWE-787
CVE-2026-0122Shared CWE-787
CVE-2019-25705Shared CWE-787
CVE-2026-42484Shared CWE-787

Affected Assets

openimageio
openimageio
3.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the heap overflow vulnerability in OpenImageIO by identifying, testing, and applying patches or updates to affected versions.

prevent

Implements runtime memory protections such as ASLR, DEP, and heap hardening to prevent exploitation of the heap overflow for arbitrary code execution or corruption.

prevent

Requires validation of input sizes to image processing functions in fmath.h to prevent buffer copy without size checks leading to heap overflow.

References