Home

Description

A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior,  memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.

PUBLISHED Reserved 2025-09-05 | Published 2025-12-22 | Updated 2025-12-22 | Assigner ODA




HIGH: 7.0CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber

Problem types

CWE-457: Use of Uninitialized Variable

Product status

Default status
unaffected

Any version before 2026.12
affected

References

www.opendesign.com/security-advisories

cve.org (CVE-2025-10021)

nvd.nist.gov (CVE-2025-10021)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.