Skip to main content

OpenImageIO CVE-2026-43907

| EUVDEUVD-2026-30410 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-14 GitHub_M
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 14, 2026 - 21:32 EUVD
Analysis Generated
May 14, 2026 - 19:46 vuln.today
CVE Published
May 14, 2026 - 19:07 nvd
HIGH 8.3

DescriptionGitHub Advisory

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AnalysisAI

Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.

Technical ContextAI

OpenImageIO is a widely-used image I/O library in visual effects and animation pipelines, handling formats like DPX (Digital Picture Exchange). The vulnerability (CWE-190: Integer Overflow or Wraparound) occurs in QueryRGBBufferSizeInternal() within DPXColorConverter.cpp, which uses 32-bit signed integer arithmetic with intentional negative multipliers for certain color descriptors (kCbYCr uses pixels * -3 * bytes, kABGR uses pixels * -4 * bytes). Negative results signal to callers that no separate buffer allocation is needed. However, when pixel counts exceed approximately 536 million (for the -4 multiplier case), the multiplication wraps past INT_MIN to a small positive value. The caller in dpxinput.cpp misinterprets this as a valid buffer size requirement, allocates an undersized heap buffer via std::vector::resize(), then writes full image data via fread(), triggering classic heap buffer overflow. The affected CPE (cpe:2.3:a:academysoftwarefoundation:openimageio:*:*:*:*:*:*:*:*) indicates broad impact across any application integrating these library versions for image processing.

RemediationAI

Upgrade to OpenImageIO version 3.0.18.0 or later for the 3.0.x branch, or version 3.1.13.0 or later for the 3.1.x branch. Vendor-confirmed patched releases address the signed integer overflow in QueryRGBBufferSizeInternal() by correcting buffer size calculation logic. Download patched versions from the official Academy Software Foundation repository. If immediate patching is not feasible, implement file provenance controls to restrict DPX file processing to trusted sources only - block external DPX files at email gateways and enforce strict access controls on shared storage containing image assets. Consider sandboxing OpenImageIO-based applications using OS-level isolation (containers, restrictive AppArmor/SELinux profiles) to limit impact of potential exploitation. Note that DPX format restrictions may disrupt legitimate workflows requiring external vendor-supplied content; assess business impact before deployment. Monitor for abnormal application crashes when processing DPX files as potential exploitation indicator. Consult the GitHub advisory at https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-cq46-hp4h-cvfr for additional technical details.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-43907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy