Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the pixel-loop index expression i * 3 inside ConvertCbYCrYToRGB() causes the function to compute a large negative pointer offset into the output buffer, producing an out-of-bounds write that crashes the process. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
AnalysisAI
Out-of-bounds write in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 allows remote attackers to crash applications or potentially execute arbitrary code by delivering maliciously crafted CbYCrY image files. A signed integer overflow in the ConvertCbYCrYToRGB() pixel-loop calculation generates large negative pointer offsets, corrupting memory during image processing. EPSS data not available; no evidence of active exploitation (not in CISA KEV); exploitation requires user interaction to process attacker-supplied image files.
Technical ContextAI
OpenImageIO is a widely-used C++ library in VFX and animation pipelines for reading, writing, and manipulating diverse image formats. The vulnerability resides in ConvertCbYCrYToRGB(), a color space conversion function that processes CbYCrY (chroma-luma) encoded image data. The pixel-loop uses expression 'i * 3' as an index with a signed 32-bit integer type. When processing malformed images with specific dimensional characteristics, this multiplication overflows the integer bounds (CWE-190: Integer Overflow or Wraparound), wrapping to large negative values. These negative values are then used as pointer offsets into the output buffer, resulting in out-of-bounds memory writes that bypass intended buffer boundaries. Affected products per CPE: OpenImageIO versions before 3.0.18.0 in the 3.0.x branch and before 3.1.13.0 in the 3.1.x branch, as published by the Academy Software Foundation.
RemediationAI
Upgrade to OpenImageIO version 3.0.18.0 or later for 3.0.x deployments, or version 3.1.13.0 or later for 3.1.x deployments, as specified in GitHub security advisory GHSA-2jr5-q49v-3858 (https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-2jr5-q49v-3858). Both versions contain patches that address the integer overflow in ConvertCbYCrYToRGB() by implementing safer index arithmetic. If immediate patching is not feasible, implement compensating controls: restrict image processing to trusted sources only, deploy input validation to reject CbYCrY format images or enforce strict dimensional limits before processing (note: may break legitimate workflows requiring this color space), and isolate image processing operations in sandboxed environments with limited privileges to contain potential exploitation impact (reduces consequences but does not prevent exploitation). For internet-facing services, deploy web application firewalls or content filters to block suspicious image uploads, though this provides limited protection against sophisticated format manipulation.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30413