CVE-2019-14492
Description
An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenCV before 3.4.7 and 4.x before 4.1.1 has an out-of-bounds read/write in HaarEvaluator::OptFeature::calc, causing denial of service.
Vulnerability
Overview
CVE-2019-14492 is an out-of-bounds read/write vulnerability in OpenCV's object detection module. The flaw resides in the HaarEvaluator::OptFeature::calc function within modules/objdetect/src/cascadedetect.hpp. Improper bounds checking allows an attacker to trigger memory corruption when processing specially crafted input, leading to a denial of service [2].
Exploitation
Details
An attacker can exploit this vulnerability by supplying a malicious Haar cascade file or crafted image data to an application using the affected OpenCV version. No authentication is required; the attack vector is network-based if the application processes user-supplied data. The out-of-bounds access occurs during feature calculation, which is a core step in object detection [2].
Impact
Successful exploitation results in a denial of service, typically through a crash or hang of the application. In some cases, the out-of-bounds write could potentially be leveraged for arbitrary code execution, though the official description only confirms denial of service [2].
Mitigation
OpenCV addressed this issue in versions 3.4.7 and 4.1.1. Users should upgrade to these or later releases. The fix commits are available in the OpenCV repository [3][4]. No workarounds are documented; updating is the recommended action.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencv-pythonPyPI | < 3.4.7.28 | 3.4.7.28 |
opencv-pythonPyPI | >= 4.0.0.21, < 4.1.1.26 | 4.1.1.26 |
opencv-python-headlessPyPI | < 3.4.7.28 | 3.4.7.28 |
opencv-python-headlessPyPI | >= 4.0.0.21, < 4.1.1.26 | 4.1.1.26 |
opencv-contrib-pythonPyPI | < 3.4.7.28 | 3.4.7.28 |
opencv-contrib-pythonPyPI | >= 4.0.0.21, < 4.1.1.26 | 4.1.1.26 |
opencv-contrib-python-headlessPyPI | < 3.4.7.28 | 3.4.7.28 |
opencv-contrib-python-headlessPyPI | >= 4.0.0.21, < 4.1.1.26 | 4.1.1.26 |
Affected products
10- ghsa-coords10 versionspkg:pypi/opencv-contrib-pythonpkg:pypi/opencv-contrib-python-headlesspkg:pypi/opencv-pythonpkg:pypi/opencv-python-headlesspkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP1pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP2pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP1pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP2
< 3.4.7.28+ 9 more
- (no CPE)range: < 3.4.7.28
- (no CPE)range: < 3.4.7.28
- (no CPE)range: < 3.4.7.28
- (no CPE)range: < 3.4.7.28
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
Patches
24a7ca5a29103OpenCV version++ (3.4.7)
1 file changed · +1 −1
modules/core/include/opencv2/core/version.hpp+1 −1 modified@@ -8,7 +8,7 @@ #define CV_VERSION_MAJOR 3 #define CV_VERSION_MINOR 4 #define CV_VERSION_REVISION 7 -#define CV_VERSION_STATUS "-pre" +#define CV_VERSION_STATUS "" #define CVAUX_STR_EXP(__A) #__A #define CVAUX_STR(__A) CVAUX_STR_EXP(__A)
693877212d34Fixed video writer filename check for plugins
1 file changed · +2 −1
modules/videoio/src/backend_plugin.cpp+2 −1 modified@@ -480,7 +480,8 @@ class PluginWriter : public cv::IVideoWriter if (plugin_api->Writer_open) { CV_Assert(plugin_api->Writer_release); - if (CV_ERROR_OK == plugin_api->Writer_open(filename.empty() ? 0 : filename.c_str(), fourcc, fps, sz.width, sz.height, isColor, &writer)) + CV_Assert(!filename.empty()); + if (CV_ERROR_OK == plugin_api->Writer_open(filename.c_str(), fourcc, fps, sz.width, sz.height, isColor, &writer)) { CV_Assert(writer); return makePtr<PluginWriter>(plugin_api, writer);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.opensuse.org/opensuse-security-announce/2019-12/msg00025.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-fw99-f933-rgh8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-14492ghsaADVISORY
- github.com/opencv/opencv/compare/33b765d...4a7ca5aghsax_refsource_MISCWEB
- github.com/opencv/opencv/compare/371bba8...ddbd10cghsax_refsource_MISCWEB
- github.com/opencv/opencv/issues/15124ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.