Skip to main content

OpenImageIO EUVDEUVD-2026-30398

| CVE-2026-43905 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-14 GitHub_M
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 14, 2026 - 21:48 vuln.today
Patch available
May 14, 2026 - 21:32 EUVD
CVSS changed
May 14, 2026 - 20:22 NVD
7.1 (HIGH)
CVE Published
May 14, 2026 - 19:09 nvd
UNKNOWN (no severity yet)
CVE Published
May 14, 2026 - 19:09 nvd
HIGH 7.1

DescriptionGitHub Advisory

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, jpeg2000input.cpp:395 computes buffer size as const int bufsize = w * h * ch * buffer_bpp using signed 32-bit arithmetic. When the product exceeds INT_MAX, the result wraps to 0 or a small value. m_buf.resize() allocates an undersized buffer, and subsequent pixel write loops cause heap overflow. Conditional on USE_OPENJPH build flag. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AnalysisAI

Heap overflow in OpenImageIO's JPEG 2000 decoder allows local attackers with malicious image files to execute arbitrary code. Affects versions before 3.0.18.0 and 3.1.x before 3.1.13.0 when compiled with USE_OPENJPH flag. Integer overflow in buffer size calculation causes undersized heap allocation, leading to memory corruption during pixel writes. No public exploit identified at time of analysis, but SSVC framework indicates POC exists. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0.

Technical ContextAI

OpenImageIO is an Academy Software Foundation library for reading and writing image formats used in visual effects and animation pipelines. The vulnerability resides in jpeg2000input.cpp at line 395, where buffer size is computed using signed 32-bit multiplication (w * h * ch * buffer_bpp). When processing maliciously crafted JPEG 2000 images with dimensions that cause this product to exceed INT_MAX (2,147,483,647), integer overflow (CWE-190) causes the result to wrap to zero or a small positive value. The subsequent m_buf.resize() allocates an undersized heap buffer, but pixel write loops proceed assuming the full calculated size, writing beyond allocated bounds and corrupting heap memory. This vulnerability only manifests in builds compiled with the USE_OPENJPH build flag, which enables OpenJPH JPEG 2000 codec support. CPE cpe:2.3:a:academysoftwarefoundation:openimageio identifies the affected component from the Academy Software Foundation.

RemediationAI

Upgrade to OpenImageIO version 3.0.18.0 for the stable branch or 3.1.13.0 for the development branch as documented in GitHub Security Advisory GHSA-pj45-cf3g-28gq at https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-pj45-cf3g-28gq. Both patches implement proper integer overflow checks in jpeg2000input.cpp buffer size calculations. If immediate patching is not feasible, disable USE_OPENJPH at compile time and rebuild without OpenJPH JPEG 2000 codec support, though this eliminates JPEG 2000 format handling capabilities. As compensating control, implement strict input validation to reject JPEG 2000 files with suspicious dimensions (width × height × channels exceeding safe thresholds around 500 million pixels) before passing to OpenImageIO, though this may break legitimate high-resolution content workflows. Restrict processing of JPEG 2000 images to trusted sources only and run OpenImageIO processing in sandboxed environments with limited privileges to contain potential exploitation impact.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-30398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy