CVE-2017-12601: Improper Restriction of Operations within the Bounds of a Memory Buffer in OpenCV
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.61437%
CWE
Published
10/12/2021
Updated
2/1/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
opencv-python | pip | <= 3.3.0.9 | 3.3.1.11 |
opencv-contrib-python | pip | <= 3.3.0.9 | 3.3.1.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The CVE description explicitly states the buffer overflow occurs in cv::BmpDecoder::readData.
- Valgrind logs in GitHub issue #9309 show invalid writes originating from this function's memcpy operation.
- The vulnerability manifests when using cv::imread, which calls this decoder.
- CWE-120 (Classic Buffer Overflow) directly maps to the unsafe memcpy pattern described.
- The patch in PR #9376 likely addressed this by adding proper bounds checks in the BMP decoder implementation.