CVE-2025-10021

HIGH

Open Design Alliance Drawings SDK (mt) <2026.12 - Use After Free

Title source: llm

Description

A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior, memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.

References (1)

[Various Sources] https://www.opendesign.com/security-advisories

Scores

CVSS v4 7.0

EPSS 0.0004

EPSS Percentile 13.0%

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Amber

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-457

Status published

Products (1)

Open Design Alliance/ODA Drawings SDK - All Versions < 2026.12 < 2026.12

Published Dec 22, 2025

Tracked Since Feb 18, 2026