CVE-2025-10021

A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior, memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.

CVSS

No CVSS.

References

Link	Resource
https://www.opendesign.com/security-advisories

Configurations

No configuration.

History

22 Dec 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-22 16:15

Updated : 2025-12-23 14:51

NVD link : CVE-2025-10021

Mitre link : CVE-2025-10021

CVE.ORG link : CVE-2025-10021

JSON object : View

Products Affected

No product.

CWE

CWE-457

Use of Uninitialized Variable

{"id": "CVE-2025-10021", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 7.0, "Automatable": "YES", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:L/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-22T16:15:43.437", "references": [{"url": "https://www.opendesign.com/security-advisories", "source": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea", "description": [{"lang": "en", "value": "CWE-457"}]}], "descriptions": [{"lang": "en", "value": "A Use of Uninitialized Variable vulnerability exists in Open Design\u00a0Alliance Drawings SDK static versions (mt) before 2026.12. Static object\u00a0`COdaMfcAppApp theApp` may access `OdString::kEmpty` before its\u00a0initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,\u00a0 memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios."}], "lastModified": "2025-12-23T14:51:52.650", "sourceIdentifier": "8a9629cb-c5e7-4d2a-a894-111e8039b7ea"}