Skip to main content

OpenImageIO EUVDEUVD-2026-30415

| CVE-2026-43909 HIGH
Out-of-bounds Read (CWE-125)
2026-05-14 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 14, 2026 - 21:32 EUVD
Analysis Generated
May 14, 2026 - 19:45 vuln.today
CVE Published
May 14, 2026 - 19:00 nvd
HIGH 8.8

DescriptionGitHub Advisory

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the loop index expression i * 4 inside SwapRGBABytes() causes the function to compute a large negative pointer offset when processing kABGR DPX images with large dimensions. The immediate crash is an out-of-bounds read (the memcpy at line 45 reads from &input[i * 4] first), but the subsequent write operations at lines 46-49 target the same wrapped offset - making this a combined OOB read+write primitive. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AnalysisAI

Remote code execution in OpenImageIO versions before 3.0.18.0 and 3.1.13.0 allows unauthenticated attackers to achieve arbitrary read/write memory access by delivering a maliciously crafted kABGR DPX image file with oversized dimensions. The signed integer overflow in SwapRGBABytes() creates a negative pointer offset that enables both out-of-bounds read via memcpy and subsequent out-of-bounds writes, potentially leading to code execution when a user opens the malicious image. EPSS data not available; no confirmed active exploitation (not in CISA KEV), though the vendor-disclosed nature and VFX industry targeting suggests focused adversary interest in content creation pipelines.

Technical ContextAI

OpenImageIO is an Academy Software Foundation library widely used in visual effects and animation pipelines for image I/O operations across dozens of file formats. The vulnerability resides in SwapRGBABytes(), a pixel data transformation function that processes DPX (Digital Picture Exchange) files in kABGR format. DPX is a SMPTE standard for exchanging resolution-independent pixel data in film and video post-production. The root cause is CWE-125 (Out-of-bounds Read) combined with out-of-bounds write: when processing images with dimensions that cause the loop index expression 'i * 4' to exceed INT_MAX (2,147,483,647), the signed 32-bit integer wraps to a large negative value. This negative offset is then used as a pointer offset to both read (memcpy source at line 45) and write (direct assignments at lines 46-49) pixel component data, creating a primitive for arbitrary memory access relative to the input buffer base address. The CVSS vector AV:N/AC:L indicates network delivery with low complexity, while UI:R reflects the requirement for user interaction to open the malicious file.

RemediationAI

Upgrade to OpenImageIO version 3.0.18.0 or later for the 3.0.x branch, or version 3.1.13.0 or later for the 3.1.x branch. Patches are vendor-released and address the signed integer overflow in SwapRGBABytes() function. Download fixed versions from the official GitHub repository or Academy Software Foundation distribution channels, referencing GHSA-g267-j53j-5258 for release notes. If immediate patching is not feasible, implement application-layer input validation to reject DPX files exceeding safe dimensional thresholds (width × height < 536,870,912 to prevent 'i * 4' from exceeding INT_MAX when processing RGBA data), though this mitigation reduces functionality for legitimate high-resolution content and does not address the root cause. Alternatively, disable DPX format support entirely in environments where it is not operationally required, though this breaks workflows dependent on SMPTE DPX interchange. Network-based controls (blocking .dpx email attachments, web upload restrictions) provide defense-in-depth but do not protect against insider threats or supply chain compromise of trusted content sources. Audit logs should monitor for abnormal crashes in OpenImageIO-dependent processes as potential exploitation indicators.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-30415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy