Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
AnalysisAI
Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.
Technical ContextAI
OpenImageIO is a widely-used image I/O library in visual effects and animation pipelines, handling formats like DPX (Digital Picture Exchange). The vulnerability (CWE-190: Integer Overflow or Wraparound) occurs in QueryRGBBufferSizeInternal() within DPXColorConverter.cpp, which uses 32-bit signed integer arithmetic with intentional negative multipliers for certain color descriptors (kCbYCr uses pixels * -3 * bytes, kABGR uses pixels * -4 * bytes). Negative results signal to callers that no separate buffer allocation is needed. However, when pixel counts exceed approximately 536 million (for the -4 multiplier case), the multiplication wraps past INT_MIN to a small positive value. The caller in dpxinput.cpp misinterprets this as a valid buffer size requirement, allocates an undersized heap buffer via std::vector::resize(), then writes full image data via fread(), triggering classic heap buffer overflow. The affected CPE (cpe:2.3:a:academysoftwarefoundation:openimageio:*:*:*:*:*:*:*:*) indicates broad impact across any application integrating these library versions for image processing.
RemediationAI
Upgrade to OpenImageIO version 3.0.18.0 or later for the 3.0.x branch, or version 3.1.13.0 or later for the 3.1.x branch. Vendor-confirmed patched releases address the signed integer overflow in QueryRGBBufferSizeInternal() by correcting buffer size calculation logic. Download patched versions from the official Academy Software Foundation repository. If immediate patching is not feasible, implement file provenance controls to restrict DPX file processing to trusted sources only - block external DPX files at email gateways and enforce strict access controls on shared storage containing image assets. Consider sandboxing OpenImageIO-based applications using OS-level isolation (containers, restrictive AppArmor/SELinux profiles) to limit impact of potential exploitation. Note that DPX format restrictions may disrupt legitimate workflows requiring external vendor-supplied content; assess business impact before deployment. Monitor for abnormal application crashes when processing DPX files as potential exploitation indicator. Consult the GitHub advisory at https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-cq46-hp4h-cvfr for additional technical details.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30410