Skip to main content

OpenImageIO CVE-2026-43996

| EUVDEUVD-2026-30417 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-14 GitHub_M
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 14, 2026 - 21:32 EUVD
Analysis Generated
May 14, 2026 - 19:47 vuln.today
CVE Published
May 14, 2026 - 19:08 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, the bounds check in TGAInput::decode_pixel computes k + palbytespp as unsigned 32-bit arithmetic. When k = 0xFFFFFFFC and palbytespp = 4, the addition wraps to 0, which compares less than palette_alloc_size and passes the check. The subsequent palette access uses the unwrapped k (0xFFFFFFFC) as the index, reading ~4 GB past the start of the palette buffer - SEGV. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AnalysisAI

Integer overflow in OpenImageIO TGA image decoder allows local attackers to trigger out-of-bounds buffer read and denial of service. When processing TGA image files, the bounds check in TGAInput::decode_pixel computes k + palbytespp using unsigned 32-bit arithmetic; specifically, when k equals 0xFFFFFFFC and palbytespp equals 4, the sum wraps to zero, bypassing the palette size validation. The subsequent palette access then uses the unwrapped value as an array index, reading approximately 4 GB past the palette buffer start, causing a segmentation fault. Affects OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0; requires local file access and user interaction to open a malicious TGA file. CVSS score of 5.5 reflects local-only attack vector with high availability impact but no confidentiality or integrity impact.

Technical ContextAI

OpenImageIO is an Academy Software Foundation library for image I/O operations in VFX/animation workflows. The vulnerability exists in the TGA (Truevision Graphics Adapter) image format decoder, specifically in the TGAInput::decode_pixel function that processes palette-based TGA images. The root cause is a classic integer overflow leading to insufficient bounds checking (CWE-125: Out-of-bounds Read). TGA files support indexed color modes with palette data; the decoder reads palette entries during decompression. The vulnerability exploits the implicit unsigned integer wrap-around behavior in C/C++: when k (current palette index) is 0xFFFFFFFC (4,294,967,292 in unsigned 32-bit terms) and palbytespp (palette bytes per pixel, typically 4) is added, the sum wraps from 0x100000000 back to 0x00000000, making the wrapped value appear valid against palette_alloc_size. However, the actual palette access then uses the original k value, resulting in a massive out-of-bounds read that causes a segmentation fault due to access to unmapped memory regions.

RemediationAI

Upgrade to OpenImageIO 3.0.18.0 or later for the 3.0 branch, or 3.1.13.0 or later for the 3.1 branch. These patched versions correct the integer overflow by performing bounds checking using proper unsigned integer arithmetic or by adding additional validation before the palette access. The patch should be applied to all applications and libraries that depend on OpenImageIO, including VFX software, image processing tools, and animation pipelines. No workarounds are available; patching is the primary remediation. For organizations unable to immediately upgrade, mitigate risk by restricting file import to trusted TGA sources, disabling TGA format support if not essential to workflows, or isolating image processing operations in sandboxed environments to limit crash impact. Note that the latter mitigations do not prevent denial of service, only limit scope. Refer to the GitHub Advisory at https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-mq8j-73c4-cr55 for release notes and migration guidance.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-43996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy