CVE-2025-10021 is a vulnerability classified under CWE-457 (Use of Uninitialized Variable) affecting all static versions of the Open Design Alliance Drawings SDK before version 2026.12. The root cause is the undefined initialization order of static objects across translation units, commonly known as the Static Initialization Order Fiasco. Specifically, the static object `COdaMfcAppApp theApp` may access the static member `OdString::kEmpty` before it has been initialized. This results in the application reading uninitialized memory, which causes a crash during startup, leading to a denial of service condition. Because the behavior is undefined, there is a risk that memory corruption could occur, which in turn might be leveraged to achieve arbitrary code execution under certain conditions. The vulnerability has a CVSS 4.0 score of 7 (high severity), with an attack vector limited to local access, no required privileges, and no user interaction needed. The vulnerability affects software that statically links the ODA Drawings SDK, which is widely used in CAD and engineering design applications. Although no public exploits are known, the potential for severe impact exists, especially in environments where availability and integrity of design software are critical.

For European organizations, particularly those in engineering, architecture, and manufacturing sectors relying on CAD software built on the ODA Drawings SDK, this vulnerability poses a significant risk. The immediate impact is denial of service due to application crashes on startup, which can disrupt design workflows and project timelines. More critically, the possibility of memory corruption and arbitrary code execution could lead to unauthorized code execution, potentially compromising system integrity and confidentiality. This is especially concerning for organizations handling sensitive design data or intellectual property. Disruptions could affect supply chains and critical infrastructure projects. Given the local attack vector, insider threats or compromised internal systems could exploit this vulnerability. The lack of known exploits currently reduces immediate risk, but the high severity and potential for escalation make timely mitigation essential.

1. Upgrade to ODA Drawings SDK version 2026.12 or later, where this vulnerability is resolved. 2. If upgrading is not immediately feasible, implement application-level mitigations such as sandboxing the affected software to limit potential damage from crashes or exploitation. 3. Conduct code reviews and static analysis on any custom integrations or static linking of the SDK to identify and mitigate uninitialized variable usage. 4. Employ runtime memory protection mechanisms (e.g., ASLR, DEP) to reduce the likelihood of successful exploitation of memory corruption. 5. Restrict local access to systems running vulnerable versions to trusted personnel only, minimizing the risk of local exploitation. 6. Monitor application logs and system behavior for unusual crashes or anomalies that could indicate exploitation attempts. 7. Engage with the software vendor or development team to prioritize patch deployment and verify the integrity of updates.