Skip to main content

OpenImageIO CVE-2026-43903

| EUVDEUVD-2026-30387 HIGH
Out-of-bounds Write (CWE-787)
2026-05-14 GitHub_M
8.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 14, 2026 - 21:49 vuln.today
Patch available
May 14, 2026 - 21:32 EUVD
CVSS changed
May 14, 2026 - 20:22 NVD
8.4 (HIGH)
CVE Published
May 14, 2026 - 19:10 nvd
UNKNOWN (no severity yet)
CVE Published
May 14, 2026 - 19:10 nvd
HIGH 8.4

DescriptionGitHub Advisory

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, sgiinput.cpp:265,274 use OIIO_DASSERT for bounds checking in the RLE decode loop. In release builds, OIIO_DASSERT compiles to ((void)sizeof(x)) (dassert.h:210), making all bounds checks no-ops. A crafted .sgi file with RLE count exceeding scanline width causes heap buffer overflow and crash. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AnalysisAI

Heap buffer overflow in OpenImageIO's SGI image decoder allows arbitrary code execution via specially crafted .sgi files. Affects versions before 3.0.18.0 and 3.1.13.0 when processing malicious SGI images with invalid RLE compression parameters. Publicly available exploit code exists (SSVC POC status confirmed). Attack requires local file access and user interaction to open the malicious file, but CVSS 8.4 reflects high impact potential (code execution) in VFX/animation production environments where SGI format handling is common. EPSS data unavailable, not listed in CISA KEV.

Technical ContextAI

OpenImageIO is an industry-standard library used in visual effects and animation pipelines for reading and writing numerous image formats including Silicon Graphics Image (SGI/RGB) files. The vulnerability stems from CWE-787 (Out-of-bounds Write) in the RLE (Run-Length Encoding) decompression routine within sgiinput.cpp. The code uses OIIO_DASSERT macros for bounds validation at lines 265 and 274, which are compiled to no-ops (void sizeof operations) in release builds per dassert.h:210. When processing SGI files with RLE-compressed scanlines, the decoder fails to validate that the RLE count value doesn't exceed the scanline width, allowing attacker-controlled data to write beyond allocated heap buffer boundaries. This affects the Academy Software Foundation's OpenImageIO library (CPE: cpe:2.3:a:academysoftwarefoundation:openimageio), a critical dependency in professional media production workflows.

RemediationAI

Upgrade to OpenImageIO version 3.0.18.0 or later for the 3.0.x branch, or version 3.1.13.0 or later for the 3.1.x branch per vendor advisory at https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-jg3q-vm3q-2j35. These versions replace OIIO_DASSERT with runtime bounds validation in the RLE decoder. If immediate patching is not feasible, implement file validation controls: restrict SGI file processing to trusted sources only, sandbox image processing workflows using containers or VMs with limited privileges, and deploy application whitelisting to prevent execution of payloads delivered via image files. Note that input filtering cannot reliably detect malicious RLE parameters without full format parsing, making patching the only comprehensive fix. Organizations using OpenImageIO as a dependency in proprietary applications must rebuild against patched library versions.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-43903 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy