Description
OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when parsing LUT data lines. Input comes from `lineBuffer[4096]`, so a crafted .spi3d file can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the issue.
Published: 2026-06-24
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenColorIO is a color management framework for visual effects and animation. In version 2.5.2 and earlier, the Spi3D (.spi3d) LUT parser reads data lines using `sscanf` with the `%s` format specifier into a 64‑byte stack buffer located at line 163 in FileFormatSpi3D.cpp, while the input originates from a 4096‑byte `lineBuffer`. A crafted .spi3d file can overflow the stack by approximately 4000 bytes on non‑Windows platforms, potentially leading to memory corruption and arbitrary code execution. The flaw is identified as CWE‑120 and has been mitigated in OpenColorIO 2.5.2.

Affected Systems

Vendors: AcademySoftwareFoundation OpenColorIO. Affected versions are all releases prior to 2.5.2. Users of OpenColorIO 2.5.1 or earlier that parse Spi3D LUT files are potentially vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 8.4, indicating high severity. The EPSS score is not available and the flaw is not listed in CISA's KEV catalog. Exploitation requires access to the file system to supply a malicious .spi3d file, and the application must parse such files. In environments where untrusted files are processed, the risk is high; in tightly controlled workflows the threat is lower. The lack of a public exploit does not diminish the potential risk, and the high CVSS warrants prompt attention.

Generated by OpenCVE AI on June 24, 2026 at 15:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenColorIO 2.5.2 or later, which removes the unbounded sscanf.
  • If upgrading is not immediately possible, avoid processing untrusted or unknown .spi3d files until a patch is applied.
  • Run OpenColorIO with the least privileges required, limiting write access to the application directory to prevent potential exploitation from affecting system files.

Generated by OpenCVE AI on June 24, 2026 at 15:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when parsing LUT data lines. Input comes from `lineBuffer[4096]`, so a crafted .spi3d file can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the issue.
Title OpenColorIO vulnerable to stack buffer overflow via unbounded `sscanf %s` in Spi3D (.spi3d) LUT parser
Weaknesses CWE-120
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T18:56:15.215Z

Reserved: 2026-04-27T13:55:58.693Z

Link: CVE-2026-42450

cve-icon Vulnrichment

Updated: 2026-06-24T18:55:38.190Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:15:04Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')