CVE-2025-0081Use of Uninitialized Variable in External DNG SDK

CWE-457Use of Uninitialized Variable5 documents5 sources
Severity
7.5HIGHNVD
EPSS
1.2%
top 20.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform External DNG SDKGoogle Android
Timeline
PublishedAug 26
Latest updateAug 27

Description

In dng_lossless_decoder::HuffDecode of dng_lossless_jpeg.cpp, there is a possible way to cause a crash due to uninitialized data. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Androidplatform/external_dng_sdk15-next:015-next:2025-03-01+5
CVEListV5google/android5 versions+4
NVDgoogle/android5 versions+4

🔴Vulnerability Details

3
GHSA
GHSA-57gp-7j4r-hj34: In dng_lossless_decoder::HuffDecode of dng_lossless_jpeg2025-08-27
CVEList
CVE-2025-0081: In dng_lossless_decoder::HuffDecode of dng_lossless_jpeg2025-08-26
OSV
CVE-2025-0081: In dng_lossless_decoder::HuffDecode of dng_lossless_jpeg2025-03-01

📋Vendor Advisories

1
Android
CVE-2025-0081: Android Security Bulletin 2025-03-01 CVE: CVE-2025-0081 Severity: CRITICAL Type: DoS Affected AOSP versions: 12, 12L, 13, 14, 15 References: A-34773542025-03-01
CVE-2025-0081 — Use of Uninitialized Variable | cvebase