CVE-2018-18223

Vulnerability

The Open Design Alliance (ODA) Drawings SDK version 2019Update1 contains a vulnerability during the reading of malformed files. Specifically, a static object COdaMfcApp theApp may access OdString::kEmpty before its initialization, due to undefined initialization order of static objects across translation units (the Static Initialization Order Fiasco). This affects all versions before 2026.12 [1]. The code path is reachable when the application starts, regardless of file input, because the uninitialized memory access occurs during static object construction.

Exploitation

An attacker needs no special network position or authentication; the vulnerability is triggered simply by launching the affected application (e.g., OdaMfcApp from the ODA Drawings SDK). No user interaction or race window is required. The concrete sequence is: during program startup, the static object theApp is constructed before OdString::kEmpty is initialized, causing the application to access uninitialized memory and crash or potentially corrupt memory [1].

Impact

On successful exploitation, the attacker gains denial of service (application crash). Due to undefined behavior, memory corruption and potential arbitrary code execution cannot be ruled out in specific scenarios [1]. The compromise occurs at process startup with no privilege escalation.

Mitigation

As of the advisory publication date (2018-10-19), no fix has been released for version 2019Update1. The vendor (ODA) states that all versions before 2026.12 are affected, but a fixed version (2026.12) is planned [1]. Until then, users should avoid launching the affected application or apply workarounds such as delaying static initialization order via linker configuration, though no official mitigation is disclosed in the available references.