CVE-2024-55195
Published: 23 January 2025
Summary
CVE-2024-55195 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-55195 is an allocation-size-too-big vulnerability in the /imagebuf.cpp component of OpenImageIO version 3.1.0.0dev. The flaw triggers a Denial of Service (DoS) when the program requests allocation of an excessively large amount of memory, as indicated by its association with CWE-770. Published on 2025-01-23, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact with no effects on confidentiality or integrity.
Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only low attack complexity over the network. Successful exploitation causes the affected OpenImageIO instance to crash or become unresponsive due to failed memory allocation, resulting in a DoS condition targeted at applications or services relying on this library for image processing.
The vulnerability is detailed in a GitHub issue at https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4553, which serves as the primary advisory reference. Security practitioners should monitor this issue for developer updates on patches or workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52749
Vulnerability details
An allocation-size-too-big bug in the component /imagebuf.cpp of OpenImageIO v3.1.0.0dev may cause a Denial of Service (DoS) when the program to requests to allocate too much space.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables application DoS via memory allocation exploitation (CWE-770) matching T1499.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the allocation-size-too-big flaw in OpenImageIO by requiring timely application of vendor patches or updates.
Validates image input parameters and metadata to reject requests for excessively large memory allocations that trigger the DoS vulnerability.
Implements denial-of-service protections such as resource limits to mitigate remote exploitation causing memory exhaustion and crashes in OpenImageIO.