CVE-2024-55193 – CVE-2024-55193 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2024-55193?

CVE-2024-55193 has a CVSS score of 9.8 (CRITICAL). CVE-2024-55193 is a NULL pointer dereference vulnerability in OpenImageIO's string_view.h component that can cause segmentation faults. This allows attackers to crash applications or potentially execute arbitrary code by providing malicious input. Users of OpenImageIO v3.1.0.0dev are affected.

📋 TL;DR

CVE-2024-55193 is a NULL pointer dereference vulnerability in OpenImageIO's string_view.h component that can cause segmentation faults. This allows attackers to crash applications or potentially execute arbitrary code by providing malicious input. Users of OpenImageIO v3.1.0.0dev are affected.

💻 Affected Systems

Products:

OpenImageIO

Versions: v3.1.0.0dev

Operating Systems: All platforms running OpenImageIO

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the development version 3.1.0.0dev; stable releases are not affected.

📦 What is this software?

Openimageio by Openimageio

View all CVEs affecting Openimageio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes causing denial of service, potentially leading to data corruption in image processing pipelines.

🟢

If Mitigated

Controlled crash with minimal impact if proper input validation and sandboxing are implemented.

🌐 Internet-Facing: MEDIUM - Requires specific image processing functionality exposed to untrusted input.

🏢 Internal Only: LOW - Typically used in controlled environments with trusted input sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires triggering the specific string_view.h parsing vulnerability with crafted input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to stable release or later development version

Vendor Advisory: https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4551

Restart Required: Yes

Instructions:

1. Check current OpenImageIO version
2. If running v3.1.0.0dev, upgrade to stable release
3. Rebuild any applications using OpenImageIO
4. Restart affected services

🔧 Temporary Workarounds

Input validation wrapper

all

Implement strict input validation for all image files processed by OpenImageIO

Sandbox execution

linux

Run OpenImageIO processes in isolated containers or sandboxes with limited privileges

docker run --read-only --cap-drop=ALL -v /input:/input:ro openimageio-app

🧯 If You Can't Patch

Isolate OpenImageIO instances from critical systems and networks
Implement strict network segmentation and monitor for crash events

🔍 How to Verify

Check if Vulnerable:

Check OpenImageIO version string for 'v3.1.0.0dev'

Check Version:

oiiotool --version | grep -i version

Verify Fix Applied:

Verify version no longer contains 'v3.1.0.0dev' and test with known problematic inputs

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors
OpenImageIO process crashes
Core dumps in application directories

Network Indicators:

Unusual image file uploads to processing endpoints
Repeated connection attempts to image processing services

SIEM Query:

process_name:"oiiotool" AND (event_type:crash OR error_message:"segmentation fault")

📊 Metadata

CVE ID: CVE-2024-55193

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-476

EPSS Score: 0.07% exploit probability (21.5th percentile)

Published: January 23, 2025

Last Updated: January 29, 2025

🔗 References

https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4551 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55193, you might also want to check these: