What is the CVSS score of CVE-2026-43907?

CVE-2026-43907 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of OpenImageIO are affected by CVE-2026-43907?

OpenImageIO versions 3.0.x and 3.1.x contain a heap buffer overflow vulnerability that could allow attackers to crash applications or execute arbitrary code when users open malicious DPX image files.. A patch is available.

OpenImageIO CVE-2026-43907

EUVD-2026-30410 HIGH

Integer Overflow or Wraparound (CWE-190)

2026-05-14 GitHub_M

RCE Buffer Overflow Denial Of Service Integer Overflow Suse

8.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 14, 2026 - 21:32 EUVD

Analysis Generated

May 14, 2026 - 19:46 vuln.today

CVE Published

May 14, 2026 - 19:07 nvd

HIGH 8.3

DescriptionNVD

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AnalysisAI

Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. …

RemediationAI

Within 24 hours: Inventory all systems running OpenImageIO 3.0.x (before 3.0.18.0) or 3.1.x (before 3.1.13.0) and restrict user access to untrusted DPX files. Within 7 days: Implement file type validation and disable DPX file processing where operationally feasible; monitor vendor advisories for patch release. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-43907 vulnerability details – vuln.today

Back