Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, the bounds check in TGAInput::decode_pixel computes k + palbytespp as unsigned 32-bit arithmetic. When k = 0xFFFFFFFC and palbytespp = 4, the addition wraps to 0, which compares less than palette_alloc_size and passes the check. The subsequent palette access uses the unwrapped k (0xFFFFFFFC) as the index, reading ~4 GB past the start of the palette buffer - SEGV. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
AnalysisAI
Integer overflow in OpenImageIO TGA image decoder allows local attackers to trigger out-of-bounds buffer read and denial of service. When processing TGA image files, the bounds check in TGAInput::decode_pixel computes k + palbytespp using unsigned 32-bit arithmetic; specifically, when k equals 0xFFFFFFFC and palbytespp equals 4, the sum wraps to zero, bypassing the palette size validation. The subsequent palette access then uses the unwrapped value as an array index, reading approximately 4 GB past the palette buffer start, causing a segmentation fault. Affects OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0; requires local file access and user interaction to open a malicious TGA file. CVSS score of 5.5 reflects local-only attack vector with high availability impact but no confidentiality or integrity impact.
Technical ContextAI
OpenImageIO is an Academy Software Foundation library for image I/O operations in VFX/animation workflows. The vulnerability exists in the TGA (Truevision Graphics Adapter) image format decoder, specifically in the TGAInput::decode_pixel function that processes palette-based TGA images. The root cause is a classic integer overflow leading to insufficient bounds checking (CWE-125: Out-of-bounds Read). TGA files support indexed color modes with palette data; the decoder reads palette entries during decompression. The vulnerability exploits the implicit unsigned integer wrap-around behavior in C/C++: when k (current palette index) is 0xFFFFFFFC (4,294,967,292 in unsigned 32-bit terms) and palbytespp (palette bytes per pixel, typically 4) is added, the sum wraps from 0x100000000 back to 0x00000000, making the wrapped value appear valid against palette_alloc_size. However, the actual palette access then uses the original k value, resulting in a massive out-of-bounds read that causes a segmentation fault due to access to unmapped memory regions.
RemediationAI
Upgrade to OpenImageIO 3.0.18.0 or later for the 3.0 branch, or 3.1.13.0 or later for the 3.1 branch. These patched versions correct the integer overflow by performing bounds checking using proper unsigned integer arithmetic or by adding additional validation before the palette access. The patch should be applied to all applications and libraries that depend on OpenImageIO, including VFX software, image processing tools, and animation pipelines. No workarounds are available; patching is the primary remediation. For organizations unable to immediately upgrade, mitigate risk by restricting file import to trusted TGA sources, disabling TGA format support if not essential to workflows, or isolating image processing operations in sandboxed environments to limit crash impact. Note that the latter mitigations do not prevent denial of service, only limit scope. Refer to the GitHub Advisory at https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-mq8j-73c4-cr55 for release notes and migration guidance.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30417