Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, sgiinput.cpp:265,274 use OIIO_DASSERT for bounds checking in the RLE decode loop. In release builds, OIIO_DASSERT compiles to ((void)sizeof(x)) (dassert.h:210), making all bounds checks no-ops. A crafted .sgi file with RLE count exceeding scanline width causes heap buffer overflow and crash. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Published: 2026-05-14
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenImageIO’s SGI RLE decoder has a heap buffer overflow caused by the OIIO_DASSERT macro being converted to a no‑op in release builds. The bounds check that should guard the RLE count is omitted, so a crafted SGI file with an excessively large RLE count can write past the end of an internal buffer and crash the application. The vulnerability is limited to an application crash and does not confer the ability to execute arbitrary code.

Affected Systems

The affected product is OpenImageIO from the Academy Software Foundation. Versions earlier than 3.0.18.0 and 3.1.13.0 contain the flaw; these releases were made available before the official fix was implemented.

Risk and Exploitability

The CVSS score of 8.4 classifies this as a high‑severity flaw. Attackers need to supply a malicious SGI file that OpenImageIO processes, which can be delivered in a local or remote context depending on how the application handles image input. The EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only the presence of a vulnerable OpenImageIO build with release configuration, where OIIO_DASSERT guarantees are stripped out.

Generated by OpenCVE AI on May 14, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenImageIO to version 3.0.18.0 or 3.1.13.0 or later, which includes the missing bounds‑check.
  • If an upgrade cannot be applied immediately, limit processing of SGI files to trusted sources or disable the code path that decodes SGI images when handling untrusted input.
  • Rebuild OpenImageIO from source with OIIO_DASSERT enabled in release builds or adjust the build configuration to preserve bounds checks in release builds.

Generated by OpenCVE AI on May 14, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Openimageio
Openimageio openimageio
CPEs cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*
Vendors & Products Openimageio
Openimageio openimageio
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openimageio
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openimageio

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, sgiinput.cpp:265,274 use OIIO_DASSERT for bounds checking in the RLE decode loop. In release builds, OIIO_DASSERT compiles to ((void)sizeof(x)) (dassert.h:210), making all bounds checks no-ops. A crafted .sgi file with RLE count exceeding scanline width causes heap buffer overflow and crash. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Title OpenImageIO: SGI RLE decoder heap buffer overflow OIIO_DASSERT bounds checks are no-ops in release builds
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openimageio
Openimageio Openimageio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:48:59.507Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43903

cve-icon Vulnrichment

Updated: 2026-05-14T19:36:38.729Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:06.077

Modified: 2026-05-15T19:42:45.857

Link: CVE-2026-43903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:15:25Z

Weaknesses