Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, jpeg2000input.cpp:395 computes buffer size as const int bufsize = w * h * ch * buffer_bpp using signed 32-bit arithmetic. When the product exceeds INT_MAX, the result wraps to 0 or a small value. m_buf.resize() allocates an undersized buffer, and subsequent pixel write loops cause heap overflow. Conditional on USE_OPENJPH build flag. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
AnalysisAI
Heap overflow in OpenImageIO's JPEG 2000 decoder allows local attackers with malicious image files to execute arbitrary code. Affects versions before 3.0.18.0 and 3.1.x before 3.1.13.0 when compiled with USE_OPENJPH flag. Integer overflow in buffer size calculation causes undersized heap allocation, leading to memory corruption during pixel writes. No public exploit identified at time of analysis, but SSVC framework indicates POC exists. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0.
Technical ContextAI
OpenImageIO is an Academy Software Foundation library for reading and writing image formats used in visual effects and animation pipelines. The vulnerability resides in jpeg2000input.cpp at line 395, where buffer size is computed using signed 32-bit multiplication (w * h * ch * buffer_bpp). When processing maliciously crafted JPEG 2000 images with dimensions that cause this product to exceed INT_MAX (2,147,483,647), integer overflow (CWE-190) causes the result to wrap to zero or a small positive value. The subsequent m_buf.resize() allocates an undersized heap buffer, but pixel write loops proceed assuming the full calculated size, writing beyond allocated bounds and corrupting heap memory. This vulnerability only manifests in builds compiled with the USE_OPENJPH build flag, which enables OpenJPH JPEG 2000 codec support. CPE cpe:2.3:a:academysoftwarefoundation:openimageio identifies the affected component from the Academy Software Foundation.
RemediationAI
Upgrade to OpenImageIO version 3.0.18.0 for the stable branch or 3.1.13.0 for the development branch as documented in GitHub Security Advisory GHSA-pj45-cf3g-28gq at https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-pj45-cf3g-28gq. Both patches implement proper integer overflow checks in jpeg2000input.cpp buffer size calculations. If immediate patching is not feasible, disable USE_OPENJPH at compile time and rebuild without OpenJPH JPEG 2000 codec support, though this eliminates JPEG 2000 format handling capabilities. As compensating control, implement strict input validation to reject JPEG 2000 files with suspicious dimensions (width × height × channels exceeding safe thresholds around 500 million pixels) before passing to OpenImageIO, though this may break legitimate high-resolution content workflows. Restrict processing of JPEG 2000 images to trusted sources only and run OpenImageIO processing in sandboxed environments with limited privileges to contain potential exploitation impact.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30398