CVE-2025-10021 (GCVE-0-2025-10021)
Vulnerability from cvelistv5
Published
2025-12-22 15:48
Modified
2025-12-22 16:07
Severity ?
7.0 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber
CWE
  • CWE-457 - Use of Uninitialized Variable
Summary
A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,  memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.
References
Impacted products
Vendor Product Version
Open Design Alliance ODA Drawings SDK - All Versions < 2026.12 Version: 0   < 2026.12
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-10021",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-22T16:07:39.802296Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-22T16:07:59.129Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "Linux",
            "MacOS"
          ],
          "product": "ODA Drawings SDK - All Versions \u003c 2026.12",
          "vendor": "Open Design Alliance",
          "versions": [
            {
              "lessThan": "2026.12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA Use of Uninitialized Variable vulnerability exists in Open Design\u0026nbsp;Alliance Drawings SDK static versions (mt) before 2026.12. Static object\u0026nbsp;`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\u0026nbsp;initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\u0026nbsp; memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.\u003c/p\u003e"
            }
          ],
          "value": "A Use of Uninitialized Variable vulnerability exists in Open Design\u00a0Alliance Drawings SDK static versions (mt) before 2026.12. Static object\u00a0`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\u00a0initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\u00a0 memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-457",
              "description": "CWE-457: Use of Uninitialized Variable",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-22T15:48:07.288Z",
        "orgId": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea",
        "shortName": "ODA"
      },
      "references": [
        {
          "url": "https://www.opendesign.com/security-advisories"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea",
    "assignerShortName": "ODA",
    "cveId": "CVE-2025-10021",
    "datePublished": "2025-12-22T15:48:07.288Z",
    "dateReserved": "2025-09-05T10:51:56.557Z",
    "dateUpdated": "2025-12-22T16:07:59.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-10021\",\"sourceIdentifier\":\"8a9629cb-c5e7-4d2a-a894-111e8039b7ea\",\"published\":\"2025-12-22T16:15:43.437\",\"lastModified\":\"2025-12-22T16:15:43.437\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Use of Uninitialized Variable vulnerability exists in Open Design\u00a0Alliance Drawings SDK static versions (mt) before 2026.12. Static object\u00a0`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\u00a0initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\u00a0 memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"8a9629cb-c5e7-4d2a-a894-111e8039b7ea\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:L/U:Amber\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"YES\",\"Recovery\":\"USER\",\"valueDensity\":\"DIFFUSE\",\"vulnerabilityResponseEffort\":\"LOW\",\"providerUrgency\":\"AMBER\"}}]},\"weaknesses\":[{\"source\":\"8a9629cb-c5e7-4d2a-a894-111e8039b7ea\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-457\"}]}],\"references\":[{\"url\":\"https://www.opendesign.com/security-advisories\",\"source\":\"8a9629cb-c5e7-4d2a-a894-111e8039b7ea\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-10021\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-22T16:07:39.802296Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-22T16:07:51.937Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-100\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-100 Overflow Buffers\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 7, \"Automatable\": \"YES\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"DIFFUSE\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"AMBER\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Open Design Alliance\", \"product\": \"ODA Drawings SDK - All Versions \u003c 2026.12\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2026.12\", \"versionType\": \"custom\"}], \"platforms\": [\"Windows\", \"Linux\", \"MacOS\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.opendesign.com/security-advisories\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A Use of Uninitialized Variable vulnerability exists in Open Design\\u00a0Alliance Drawings SDK static versions (mt) before 2026.12. Static object\\u00a0`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\\u00a0initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\\u00a0 memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA Use of Uninitialized Variable vulnerability exists in Open Design\u0026nbsp;Alliance Drawings SDK static versions (mt) before 2026.12. Static object\u0026nbsp;`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\u0026nbsp;initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\u0026nbsp; memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-457\", \"description\": \"CWE-457: Use of Uninitialized Variable\"}]}], \"providerMetadata\": {\"orgId\": \"8a9629cb-c5e7-4d2a-a894-111e8039b7ea\", \"shortName\": \"ODA\", \"dateUpdated\": \"2025-12-22T15:48:07.288Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-10021\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-22T16:07:59.129Z\", \"dateReserved\": \"2025-09-05T10:51:56.557Z\", \"assignerOrgId\": \"8a9629cb-c5e7-4d2a-a894-111e8039b7ea\", \"datePublished\": \"2025-12-22T15:48:07.288Z\", \"assignerShortName\": \"ODA\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.