CVE-2025-10021
Use of Uninitialized Variable in ODA Drawings SDK Causes Crash
Publication date: 2025-12-22
Last updated on: 2025-12-22
Assigner: Open Design Alliance
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open_design_alliance | drawings_sdk | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-457 | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can cause the application to crash on startup, resulting in a denial of service. Additionally, due to the undefined behavior, there is a risk of memory corruption and potentially arbitrary code execution in certain exploitation scenarios, which could lead to further security compromises.
Can you explain this vulnerability to me?
This vulnerability is a Use of Uninitialized Variable issue in the Open Design Alliance Drawings SDK static versions before 2026.12. Specifically, a static object named COdaMfcAppApp theApp may access OdString::kEmpty before it has been initialized. Because the order of static object initialization across different translation units is undefined (known as the Static Initialization Order Fiasco), the application ends up accessing uninitialized memory. This can cause the application to crash on startup.