Which versions of OpenImageIO are affected by CVE-2026-43906?

OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 contain a heap-based buffer overflow in the HEIF decoder that enables arbitrary code execution when users open malicious image files.. A patch is available.

OpenImageIO CVE-2026-43906

Q: What is the CVSS score of CVE-2026-43906?

CVE-2026-43906 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30404 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-05-14 GitHub_M

RCE Buffer Overflow Heap Overflow Suse

8.5

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 21:48 vuln.today

Patch available

May 14, 2026 - 21:32 EUVD

CVSS changed

May 14, 2026 - 20:22 NVD

8.5 (HIGH)

CVE Published

May 14, 2026 - 18:54 nvd

UNKNOWN (no severity yet)

CVE Published

May 14, 2026 - 18:54 nvd

HIGH 8.5

DescriptionNVD

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a heap-based buffer overflow in the HEIF decoder of OpenImageIO allows out-of-bounds writes via crafted images due to a subimage metadata mismatch, leading to memory corruption and potential code execution. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AnalysisAI

Heap-based buffer overflow in OpenImageIO's HEIF decoder enables arbitrary code execution via crafted image files. Affects OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. …

RemediationAI

Within 24 hours: inventory all systems running OpenImageIO and identify which versions are deployed. Within 7 days: upgrade OpenImageIO to version 3.0.18.0 or 3.1.13.0 depending on your current branch; prioritize systems that process untrusted images. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-43906 vulnerability details – vuln.today

Back

OpenImageIO CVE-2026-43906

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

OpenImageIO CVE-2026-43906

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code