Cyber Resilience

CVE-2024-55195

HighDDoS

Published: 23 January 2025

Published
23 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 19.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55195 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-55195 is an allocation-size-too-big vulnerability in the /imagebuf.cpp component of OpenImageIO version 3.1.0.0dev. The flaw triggers a Denial of Service (DoS) when the program requests allocation of an excessively large amount of memory, as indicated by its association with CWE-770. Published on 2025-01-23, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact with no effects on confidentiality or integrity.

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only low attack complexity over the network. Successful exploitation causes the affected OpenImageIO instance to crash or become unresponsive due to failed memory allocation, resulting in a DoS condition targeted at applications or services relying on this library for image processing.

The vulnerability is detailed in a GitHub issue at https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4553, which serves as the primary advisory reference. Security practitioners should monitor this issue for developer updates on patches or workarounds.

EU & UK References

Vulnerability details

An allocation-size-too-big bug in the component /imagebuf.cpp of OpenImageIO v3.1.0.0dev may cause a Denial of Service (DoS) when the program to requests to allocate too much space.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Directly enables application DoS via memory allocation exploitation (CWE-770) matching T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the allocation-size-too-big flaw in OpenImageIO by requiring timely application of vendor patches or updates.

prevent

Validates image input parameters and metadata to reject requests for excessively large memory allocations that trigger the DoS vulnerability.

prevent

Implements denial-of-service protections such as resource limits to mitigate remote exploitation causing memory exhaustion and crashes in OpenImageIO.

References