CVE-2019-5064
Description
An exploitable heap buffer overflow vulnerability exists in the data structure persistence functionality of OpenCV, before version 4.2.0. A specially crafted JSON file can cause a buffer overflow, resulting in multiple heap corruptions and potentially code execution. An attacker can provide a specially crafted file to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-5064 is a heap buffer overflow in OpenCV's JSON persistence, allowing code execution via crafted files before version 4.2.0.
Vulnerability
Analysis
CVE-2019-5064 is a heap buffer overflow vulnerability in the data structure persistence functionality of OpenCV, affecting versions before 4.2.0. The issue resides in the JSON file parsing routine within persistence_json.cpp, where a fixed-size buffer of CV_FS_MAX_LEN+1024 (5120 bytes) is used to copy JSON values. When a null byte is encountered during parsing, the entire value up to that point is copied without a bounds check, allowing an oversized value to overflow the heap-allocated buffer [2].
Exploitation
Conditions
Exploitation requires a user to open a specially crafted JSON file using OpenCV's persistence functionality. No authentication is needed, as the attack vector is local or remote if an application loads user-supplied files over a network. The CVSSv3 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates low attack complexity and user interaction is limited to opening the file [2][3].
Impact
Successful exploitation results in heap corruption, which can be leveraged to achieve arbitrary code execution in the context of the OpenCV process. This could lead to data theft, system compromise, or further lateral movement within a network [1][2].
Mitigation
The vulnerability is fixed in OpenCV version 4.2.0 [4]. Users should upgrade to this or later versions. No known workarounds exist, but limiting the ingestion of untrusted persistence files can reduce risk. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencv-pythonPyPI | < 4.2.0.32 | 4.2.0.32 |
opencv-python-headlessPyPI | < 4.2.0.32 | 4.2.0.32 |
opencv-contrib-pythonPyPI | < 4.2.0.32 | 4.2.0.32 |
opencv-contrib-python-headlessPyPI | < 4.2.0.32 | 4.2.0.32 |
Affected products
5- ghsa-coords4 versionspkg:pypi/opencv-contrib-pythonpkg:pypi/opencv-contrib-python-headlesspkg:pypi/opencv-pythonpkg:pypi/opencv-python-headless
< 4.2.0.32+ 3 more
- (no CPE)range: < 4.2.0.32
- (no CPE)range: < 4.2.0.32
- (no CPE)range: < 4.2.0.32
- (no CPE)range: < 4.2.0.32
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-q799-q27x-vp7wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-5064ghsaADVISORY
- github.com/opencv/opencv-python/releases/tag/32ghsaWEB
- github.com/opencv/opencv/issues/15857ghsax_refsource_MISCWEB
- github.com/opencv/opencv/releases/tag/4.2.0ghsaWEB
- talosintelligence.com/vulnerability_reports/TALOS-2019-0853ghsax_refsource_MISCWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.