Cyber Resilience

CVE-2025-53644

MediumPublic PoC

Published: 17 July 2025

Published
17 July 2025
Modified
17 October 2025
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 45.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53644 is a medium-severity Use of Uninitialized Variable (CWE-457) vulnerability in Opencv Opencv. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Computer Vision; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-53644 affects OpenCV, an open-source computer vision library, specifically versions 4.10.0 and 4.11.0. The vulnerability stems from an uninitialized pointer variable on the stack, which can lead to an arbitrary heap buffer write when processing crafted JPEG images. This issue is classified under CWE-457 (Use of Uninitialized Variable) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact confidentiality, integrity, and availability consequences.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Any unauthenticated remote actor could supply a maliciously crafted JPEG image to an application using the affected OpenCV versions for image decoding, triggering the uninitialized pointer dereference and enabling arbitrary heap buffer writes. Successful exploitation could allow attackers to overwrite heap memory, potentially leading to remote code execution, data corruption, or denial of service, depending on the application's context and privileges.

Mitigation is available through upgrading to OpenCV version 4.12.0, which addresses the issue via a specific commit (a39db41390de546d18962ee1278bd6dbb715f466). Official advisories, including GitHub Security Lab's GHSL-2025-057 and the related issue tracker (#27271), confirm the fix in the 4.12.0 release and recommend immediate patching for affected deployments.

EU & UK References

Vulnerability details

OpenCV is an Open Source Computer Vision Library. Versions 4.10.0 and 4.11.0 have an uninitialized pointer variable on stack that may lead to arbitrary heap buffer write when reading crafted JPEG images. Version 4.12.0 fixes the vulnerability.

CWE(s)

AI Security AnalysisAI

AI Category
Computer Vision
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: opencv

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Vulnerability in OpenCV JPEG2000 decoder allows arbitrary heap buffer write via crafted images, enabling code execution in client applications processing untrusted images (T1203: Exploitation for Client Execution).

CVEs Like This One

CVE-2026-6748Shared CWE-457
CVE-2025-54874Shared CWE-457
CVE-2026-6311Shared CWE-457
CVE-2026-6751Shared CWE-457
CVE-2026-9963Shared CWE-457
CVE-2026-9935Shared CWE-457
CVE-2026-1333Shared CWE-457
CVE-2026-10008Shared CWE-457
CVE-2025-47348Shared CWE-457
CVE-2026-9942Shared CWE-457

Affected Assets

opencv
opencv
4.10.0 — 4.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the uninitialized pointer flaw in OpenCV versions 4.10.0 and 4.11.0 by upgrading to 4.12.0.

prevent

Implements memory protections such as non-executable heap memory and address space randomization to block arbitrary heap buffer writes from the uninitialized stack pointer.

prevent

Enforces validation of JPEG image inputs to reject crafted files that could trigger the uninitialized pointer dereference in OpenCV.

References