Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the loop index expression i * 4 inside SwapRGBABytes() causes the function to compute a large negative pointer offset when processing kABGR DPX images with large dimensions. The immediate crash is an out-of-bounds read (the memcpy at line 45 reads from &input[i * 4] first), but the subsequent write operations at lines 46-49 target the same wrapped offset - making this a combined OOB read+write primitive. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
AnalysisAI
Remote code execution in OpenImageIO versions before 3.0.18.0 and 3.1.13.0 allows unauthenticated attackers to achieve arbitrary read/write memory access by delivering a maliciously crafted kABGR DPX image file with oversized dimensions. The signed integer overflow in SwapRGBABytes() creates a negative pointer offset that enables both out-of-bounds read via memcpy and subsequent out-of-bounds writes, potentially leading to code execution when a user opens the malicious image. EPSS data not available; no confirmed active exploitation (not in CISA KEV), though the vendor-disclosed nature and VFX industry targeting suggests focused adversary interest in content creation pipelines.
Technical ContextAI
OpenImageIO is an Academy Software Foundation library widely used in visual effects and animation pipelines for image I/O operations across dozens of file formats. The vulnerability resides in SwapRGBABytes(), a pixel data transformation function that processes DPX (Digital Picture Exchange) files in kABGR format. DPX is a SMPTE standard for exchanging resolution-independent pixel data in film and video post-production. The root cause is CWE-125 (Out-of-bounds Read) combined with out-of-bounds write: when processing images with dimensions that cause the loop index expression 'i * 4' to exceed INT_MAX (2,147,483,647), the signed 32-bit integer wraps to a large negative value. This negative offset is then used as a pointer offset to both read (memcpy source at line 45) and write (direct assignments at lines 46-49) pixel component data, creating a primitive for arbitrary memory access relative to the input buffer base address. The CVSS vector AV:N/AC:L indicates network delivery with low complexity, while UI:R reflects the requirement for user interaction to open the malicious file.
RemediationAI
Upgrade to OpenImageIO version 3.0.18.0 or later for the 3.0.x branch, or version 3.1.13.0 or later for the 3.1.x branch. Patches are vendor-released and address the signed integer overflow in SwapRGBABytes() function. Download fixed versions from the official GitHub repository or Academy Software Foundation distribution channels, referencing GHSA-g267-j53j-5258 for release notes. If immediate patching is not feasible, implement application-layer input validation to reject DPX files exceeding safe dimensional thresholds (width × height < 536,870,912 to prevent 'i * 4' from exceeding INT_MAX when processing RGBA data), though this mitigation reduces functionality for legitimate high-resolution content and does not address the root cause. Alternatively, disable DPX format support entirely in environments where it is not operationally required, though this breaks workflows dependent on SMPTE DPX interchange. Network-based controls (blocking .dpx email attachments, web upload restrictions) provide defense-in-depth but do not protect against insider threats or supply chain compromise of trusted content sources. Audit logs should monitor for abnormal crashes in OpenImageIO-dependent processes as potential exploitation indicators.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30415