CVE-2019-16249
Description
OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenCV 4.1.1 has an out-of-bounds read in the DIS optical flow implementation, leading to potential memory disclosure or crash.
Vulnerability
Overview
CVE-2019-16249 is an out-of-bounds read vulnerability in OpenCV 4.1.1, specifically in the hal_baseline::v_load function within core/hal/intrin_sse.hpp. This function is called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp, which is part of the DIS optical flow algorithm [3]. The root cause is that the code does not properly validate buffer boundaries when loading data via SSE instructions, allowing reads beyond an allocated memory region [4].
Exploitation
Conditions
To exploit this vulnerability, an attacker must supply crafted input (e.g., video frames or images) to an application using OpenCV's DIS optical flow functionality. No authentication is required if the input is user-controlled. The issue manifests during the computation of the sum of squared differences (SSD) with mean normalization, which occurs in a multi-threaded parallel region [3].
Impact
An out-of-bounds read can cause the application to crash (denial of service) or leak sensitive memory contents, depending on how the read data is used [4]. In the context of OpenCV, this could expose image data or other information from adjacent memory.
Mitigation
The vulnerability has been fixed in OpenCV version 4.1.2 and later, as well as in the commit merged via pull request #15531 [2]. Users are advised to update their OpenCV installation to a patched version. There are no known workarounds other than avoiding the use of DIS optical flow with untrusted input until the update is applied.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencv-pythonPyPI | < 4.1.2.30 | 4.1.2.30 |
opencv-python-headlessPyPI | < 4.1.2.30 | 4.1.2.30 |
opencv-contrib-pythonPyPI | < 4.1.2.30 | 4.1.2.30 |
opencv-contrib-python-headlessPyPI | < 4.1.2.30 | 4.1.2.30 |
Affected products
5- OpenCV/OpenCVdescription
- ghsa-coords4 versionspkg:pypi/opencv-contrib-pythonpkg:pypi/opencv-contrib-python-headlesspkg:pypi/opencv-pythonpkg:pypi/opencv-python-headless
< 4.1.2.30+ 3 more
- (no CPE)range: < 4.1.2.30
- (no CPE)range: < 4.1.2.30
- (no CPE)range: < 4.1.2.30
- (no CPE)range: < 4.1.2.30
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-x3rm-644h-67m8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16249ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/opencv/opencv-python/releases/tag/30ghsaWEB
- github.com/opencv/opencv/issues/15481ghsax_refsource_MISCWEB
- github.com/opencv/opencv/pull/15531ghsaWEB
News mentions
0No linked articles in our index yet.