Skip to main content

OpenImageIO EUVDEUVD-2026-30404

| CVE-2026-43906 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-14 GitHub_M
8.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 14, 2026 - 21:48 vuln.today
Patch available
May 14, 2026 - 21:32 EUVD
CVSS changed
May 14, 2026 - 20:22 NVD
8.5 (HIGH)
CVE Published
May 14, 2026 - 18:54 nvd
UNKNOWN (no severity yet)
CVE Published
May 14, 2026 - 18:54 nvd
HIGH 8.5

DescriptionGitHub Advisory

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a heap-based buffer overflow in the HEIF decoder of OpenImageIO allows out-of-bounds writes via crafted images due to a subimage metadata mismatch, leading to memory corruption and potential code execution. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AnalysisAI

Heap-based buffer overflow in OpenImageIO's HEIF decoder enables arbitrary code execution via crafted image files. Affects OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. Exploitation requires local access and user interaction (opening a malicious image file), but no authentication. Attack complexity is low once the malicious file is delivered. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0. No confirmed active exploitation (not listed in CISA KEV) and no public POC identified at time of analysis, though the technical details suggest straightforward exploitation once the attacker can deliver a crafted HEIF image to a target user.

Technical ContextAI

OpenImageIO is an Academy Software Foundation toolset widely used in VFX and animation pipelines for reading, writing, and manipulating diverse image file formats. This vulnerability affects the HEIF (High Efficiency Image File Format) decoder component. HEIF is a modern container format commonly used for photos on iOS/macOS devices. The root cause is CWE-122 (heap-based buffer overflow), where a mismatch in subimage metadata within a crafted HEIF file causes the decoder to perform out-of-bounds writes during image parsing. When processing multi-layer or multi-resolution HEIF images, the decoder allocates heap memory based on one set of metadata values but writes data according to mismatched metadata, exceeding buffer boundaries. This memory corruption can be leveraged to overwrite adjacent heap structures and redirect program execution flow. CPE data confirms vulnerability scope: cpe:2.3:a:academysoftwarefoundation:openimageio affecting all versions in the 3.0.x series before 3.0.18.0 and the 3.1.x series before 3.1.13.0, including the 3.1.4.0-beta release.

RemediationAI

Upgrade to OpenImageIO version 3.0.18.0 or later for the 3.0.x series, or version 3.1.13.0 or later for the 3.1.x series. These vendor-released patches address the heap buffer overflow in the HEIF decoder by correcting the subimage metadata validation logic. Download patched versions from the official Academy Software Foundation GitHub repository at https://github.com/AcademySoftwareFoundation/OpenImageIO or through standard package management channels. If immediate patching is not feasible, implement the following compensating controls: disable HEIF format support in OpenImageIO configuration if the format is not required for operational workflows (trade-off: loss of HEIF processing capability); restrict image processing to trusted sources only and implement strict input validation on image file origins (trade-off: reduced workflow flexibility and potential productivity impact); deploy OpenImageIO processes in sandboxed environments with minimal privileges to limit code execution impact (trade-off: increased operational complexity and potential compatibility issues with existing pipelines). For VFX and animation studios, establish policy requiring security scanning of all third-party image assets before processing in production pipelines. Review the GitHub security advisory GHSA-gmrp-x952-3m66 for additional vendor-specific guidance and patch deployment best practices.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-30404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy