{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10021", "assignerOrgId": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "state": "PUBLISHED", "assignerShortName": "ODA", "dateReserved": "2025-09-05T10:51:56.557Z", "datePublished": "2025-12-22T15:48:07.288Z", "dateUpdated": "2025-12-22T16:07:59.129Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux", "MacOS"], "product": "ODA Drawings SDK - All Versions < 2026.12", "vendor": "Open Design Alliance", "versions": [{"lessThan": "2026.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A Use of Uninitialized Variable vulnerability exists in Open Design&nbsp;Alliance Drawings SDK static versions (mt) before 2026.12. Static object&nbsp;`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its&nbsp;initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,&nbsp; memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.</p>"}], "value": "A Use of Uninitialized Variable vulnerability exists in Open Design\u00a0Alliance Drawings SDK static versions (mt) before 2026.12. Static object\u00a0`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\u00a0initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\u00a0 memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios."}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-457", "description": "CWE-457: Use of Uninitialized Variable", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "shortName": "ODA", "dateUpdated": "2025-12-22T15:48:07.288Z"}, "references": [{"url": "https://www.opendesign.com/security-advisories"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T16:07:39.802296Z", "id": "CVE-2025-10021", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T16:07:59.129Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10021", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T16:07:39.802296Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T16:07:51.937Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 7, "Automatable": "YES", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Open Design Alliance", "product": "ODA Drawings SDK - All Versions < 2026.12", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.12", "versionType": "custom"}], "platforms": ["Windows", "Linux", "MacOS"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.opendesign.com/security-advisories"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A Use of Uninitialized Variable vulnerability exists in Open Design\u00a0Alliance Drawings SDK static versions (mt) before 2026.12. Static object\u00a0`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\u00a0initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\u00a0 memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.", "supportingMedia": [{"type": "text/html", "value": "<p>A Use of Uninitialized Variable vulnerability exists in Open Design&nbsp;Alliance Drawings SDK static versions (mt) before 2026.12. Static object&nbsp;`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its&nbsp;initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,&nbsp; memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-457", "description": "CWE-457: Use of Uninitialized Variable"}]}], "providerMetadata": {"orgId": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "shortName": "ODA", "dateUpdated": "2025-12-22T15:48:07.288Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10021", "state": "PUBLISHED", "dateUpdated": "2025-12-22T16:07:59.129Z", "dateReserved": "2025-09-05T10:51:56.557Z", "assignerOrgId": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "datePublished": "2025-12-22T15:48:07.288Z", "assignerShortName": "ODA"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Use of Uninitialized Variable vulnerability exists in Open Design\u00a0Alliance Drawings SDK static versions (mt) before 2026.12. Static object\u00a0`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\u00a0initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\u00a0 memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios."}], "id": "CVE-2025-10021", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "source": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "type": "Secondary"}]}, "published": "2025-12-22T16:15:43.437", "references": [{"source": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "url": "https://www.opendesign.com/security-advisories"}], "sourceIdentifier": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-457"}], "source": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "type": "Secondary"}]}

{}

{"created": "2025-12-24T11:53:27.424050+00:00", "updated": "2025-12-24T11:53:27.424084+00:00", "vendors": ["opendesign", "opendesign$PRODUCT$oda_drawings_sdk"]}