CVE-2025-2024Use of Uninitialized Variable in Sketchup

CWE-457Use of Uninitialized VariableCWE-476NULL Pointer DereferenceCWE-79Cross-site ScriptingCWE-416Use After FreeCWE-193Off-by-one ErrorCWE-667Improper LockingCWE-684Incorrect Provision of Specified FunctionalityCWE-459Incomplete CleanupCWE-835Infinite LoopCWE-369Divide By ZeroCWE-122Heap-based Buffer OverflowCWE-401Missing Release of Memory after Effective Lifetime49 documents15 sources
Severity
7.8HIGHNVD
EPSS
0.7%
top 28.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Trimble Sketchup
Timeline
PublishedMar 7
Latest updateJan 29

Description

Trimble SketchUp SKP File Parsing Uninitialized Variable Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SKP files. The issue results from the lack of proper initialization of memory prior to accessing it. An attack

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDtrimble/sketchup< 2025.0
CVEListV5trimble/sketchup2024-0-484-191

🔴Vulnerability Details

3
OSV
linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle vulnerabilities2026-01-29
GHSA
GHSA-v656-frxw-r56p: Trimble SketchUp SKP File Parsing Uninitialized Variable Remote Code Execution Vulnerability2025-03-07
CVEList
Trimble SketchUp SKP File Parsing Uninitialized Variable Remote Code Execution Vulnerability2025-03-07

💥Exploits & PoCs

1
Exploit-DB
Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution2025-04-22

📋Vendor Advisories

26
Red Hat
qemu-kvm: QEMU SR-IOV Enable Mask Vulnerability2025-07-25
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Undertow) — CVE-2024-78852025-07-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure (Spring Framework) — CVE-2024-388202025-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Connection Manager (Python) — CVE-2024-531222025-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Jenkins) — CVE-2024-430442025-04-15

🕵️Threat Intelligence

2
Bleepingcomputer
Zyxel won&rsquo;t patch newly exploited flaws in end-of-life routers2025-02-04
Wiz
CVE-2025-13659 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-2024 — Use of Uninitialized Variable | cvebase