Skip to main content

OpenColorIO EUVDEUVD-2026-38769

| CVE-2026-42450 HIGH
Classic Buffer Overflow (CWE-120)
2026-06-24 GitHub_M
8.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

File-parsing flaw triggered by opening a crafted LUT, so AV:L and UI:R with PR:N; the stack overflow can yield full local process compromise, giving C/I/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
Jun 24, 2026 - 15:02 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 14:20 vuln.today
Analysis Generated
Jun 24, 2026 - 14:20 vuln.today
CVE Published
Jun 24, 2026 - 13:20 cve.org
HIGH 8.4

DescriptionCVE.org

OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, FileFormatSpi3D.cpp:163 uses sscanf with %s into 64-byte stack buffers when parsing LUT data lines. Input comes from lineBuffer[4096], so a crafted .spi3d file can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the issue.

AnalysisAI

Stack buffer overflow in OpenColorIO's .spi3d LUT parser allows a crafted color-lookup file to corrupt memory in any application that loads it. The flaw in FileFormatSpi3D.cpp reads attacker-controlled data from a 4096-byte line into 64-byte stack buffers via unbounded sscanf %s, permitting an overflow of roughly 4000 bytes on non-Windows platforms. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious .spi3d file with oversized LUT token
Delivery
Deliver via asset pipeline or download
Exploit
Victim loads file in OCIO-backed app
Execution
sscanf %s overflows 64-byte stack buffer
Persist
Corrupt stack / hijack control flow
Impact
Crash or code execution in host process

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to load a crafted .spi3d LUT file through OpenColorIO's file parser on a non-Windows platform (the description states the overflow occurs on non-Windows; Windows is noted as not affected by this overflow). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, base 8.4) characterizes this as a local, low-complexity, unauthenticated issue that requires victim interaction (UI:A) - i.e., the attacker does not need an account, but a user or pipeline must open/process the malicious .spi3d file, which is the dominant limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious .spi3d LUT file with an overly long data token and distributes it through a shared VFX asset library, project deliverable, or downloaded look pack. When an artist or an automated render pipeline opens the file in an OCIO-backed application on Linux or macOS, the oversized token overflows a 64-byte stack buffer by roughly 4000 bytes, corrupting the stack and potentially leading to crash or code execution in the host process. …
Remediation Vendor-released patch: OpenColorIO 2.5.2, which is ABI compatible with 2.5.1 and fixes the issue via PR #2307 ('Improve LUT loading checks'); upgrade to v2.5.2 or rebuild/relink any application that embeds OCIO against this version (https://github.com/AcademySoftwareFoundation/OpenColorIO/releases/tag/v2.5.2, advisory GHSA-rxp3-rrgx-f547). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running OpenColorIO prior to version 2.5.2 and restrict user ability to load color lookup files from untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-38769 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy