Skip to main content

OpenImageIO CVE-2026-43908

| EUVDEUVD-2026-30413 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-14 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 14, 2026 - 21:32 EUVD
Analysis Generated
May 14, 2026 - 19:45 vuln.today
CVE Published
May 14, 2026 - 19:01 nvd
HIGH 8.8

DescriptionGitHub Advisory

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the pixel-loop index expression i * 3 inside ConvertCbYCrYToRGB() causes the function to compute a large negative pointer offset into the output buffer, producing an out-of-bounds write that crashes the process. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AnalysisAI

Out-of-bounds write in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 allows remote attackers to crash applications or potentially execute arbitrary code by delivering maliciously crafted CbYCrY image files. A signed integer overflow in the ConvertCbYCrYToRGB() pixel-loop calculation generates large negative pointer offsets, corrupting memory during image processing. EPSS data not available; no evidence of active exploitation (not in CISA KEV); exploitation requires user interaction to process attacker-supplied image files.

Technical ContextAI

OpenImageIO is a widely-used C++ library in VFX and animation pipelines for reading, writing, and manipulating diverse image formats. The vulnerability resides in ConvertCbYCrYToRGB(), a color space conversion function that processes CbYCrY (chroma-luma) encoded image data. The pixel-loop uses expression 'i * 3' as an index with a signed 32-bit integer type. When processing malformed images with specific dimensional characteristics, this multiplication overflows the integer bounds (CWE-190: Integer Overflow or Wraparound), wrapping to large negative values. These negative values are then used as pointer offsets into the output buffer, resulting in out-of-bounds memory writes that bypass intended buffer boundaries. Affected products per CPE: OpenImageIO versions before 3.0.18.0 in the 3.0.x branch and before 3.1.13.0 in the 3.1.x branch, as published by the Academy Software Foundation.

RemediationAI

Upgrade to OpenImageIO version 3.0.18.0 or later for 3.0.x deployments, or version 3.1.13.0 or later for 3.1.x deployments, as specified in GitHub security advisory GHSA-2jr5-q49v-3858 (https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-2jr5-q49v-3858). Both versions contain patches that address the integer overflow in ConvertCbYCrYToRGB() by implementing safer index arithmetic. If immediate patching is not feasible, implement compensating controls: restrict image processing to trusted sources only, deploy input validation to reject CbYCrY format images or enforce strict dimensional limits before processing (note: may break legitimate workflows requiring this color space), and isolate image processing operations in sandboxed environments with limited privileges to contain potential exploitation impact (reduces consequences but does not prevent exploitation). For internet-facing services, deploy web application firewalls or content filters to block suspicious image uploads, though this provides limited protection against sophisticated format manipulation.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-43908 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy