CVE-2018-5269
Description
In OpenCV 3.3.1, an assertion failure happens in cv::RBaseStream::setPos in modules/imgcodecs/src/bitstrm.cpp because of an incorrect integer cast.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An integer cast error in OpenCV's cv::RBaseStream::setPos causes an assertion failure that can lead to denial of service when processing crafted image files.
Vulnerability
OpenCV 3.3.1 contains an integer cast bug in the cv::RBaseStream::setPos function within modules/imgcodecs/src/bitstrm.cpp (line 168). Incorrect casting from a int64 to a int32 integer can cause an assertion failure (assert(isOpened() && pos >= 0)) when processing specially crafted image files [4]. The assertion check relies on a signed 32-bit value, but the underlying stream position can exceed the 32-bit range, leading to undefined behavior when truncated [2]. The vulnerability affects the imgcodecs module and is reachable when OpenCV attempts to decode a malicious image file.
Exploitation
An attacker can exploit this vulnerability by providing a crafted image file (e.g., PNG, JPEG, or other formats handled by OpenCV) that causes the internal stream position to overflow or become negative after integer truncation [4]. No authentication or special network position is required if the victim application loads the file from an untrusted source (e.g., user upload, website content). The attacker only needs to supply the crafted file to trigger the assertion failure during decoding.
Impact
Successful exploitation results in a denial of service (DoS) condition: the OpenCV process crashes due to the failed assertion, terminating the application [1][4]. There is no memory corruption or arbitrary code execution reported, but the crash can be used to disrupt services that rely on OpenCV for image processing. The impact is limited to availability loss.
Mitigation
The OpenCV project addressed this issue by replacing the assert() call with proper error handling and adding overflow checks in pull request #10563 [2]. The fix was included in OpenCV versions after 3.3.1 (e.g., 3.4.0 and later). Users are advised to upgrade to a patched version. As of late 2018, no known workarounds exist aside from upgrading; users on EOL versions should consider migrating to a supported release.
- GitHub - opencv/opencv-python: Automated CI toolchain to produce precompiled opencv-python, opencv-python-headless, opencv-contrib-python and opencv-contrib-python-headless packages.
- imgcodecs: replace assert() calls, add overflow checks by alalek · Pull Request #10563 · opencv/opencv
- Assertion failure happens in bitstrm.cpp because of an incorrect integer cast
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencv-pythonPyPI | < 3.4.1.15 | 3.4.1.15 |
opencv-contrib-pythonPyPI | < 3.4.1.15 | 3.4.1.15 |
Affected products
2- ghsa-coords2 versions
< 3.4.1.15+ 1 more
- (no CPE)range: < 3.4.1.15
- (no CPE)range: < 3.4.1.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-89rj-5ggj-3p9pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-5269ghsaADVISORY
- www.securityfocus.com/bid/106945ghsavdb-entryx_refsource_BIDWEB
- github.com/opencv/opencv/issues/10540ghsax_refsource_MISCWEB
- github.com/opencv/opencv/pull/10563ghsaWEB
- lists.debian.org/debian-lts-announce/2018/04/msg00019.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2018/07/msg00030.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2021/10/msg00028.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.