GHSA-RX6R-89FC-6XM2

Vulnerability from github – Published: 2025-12-22 18:30 – Updated: 2025-12-22 18:30
VLAI?
Details

A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object COdaMfcAppApp theApp may access OdString::kEmpty before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,  memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.

Severity ?
7.0 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-10021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-22T16:15:43Z",
    "severity": "HIGH"
  },
  "details": "A Use of Uninitialized Variable vulnerability exists in Open Design\u00a0Alliance Drawings SDK static versions (mt) before 2026.12. Static object\u00a0`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\u00a0initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\u00a0 memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.",
  "id": "GHSA-rx6r-89fc-6xm2",
  "modified": "2025-12-22T18:30:24Z",
  "published": "2025-12-22T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10021"
    },
    {
      "type": "WEB",
      "url": "https://www.opendesign.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:L/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.