Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, softimageinput.cpp:469 (mixed RLE) and :345 (pure RLE) do not clamp the run length to remaining scanline width before writing pixels. The raw packet path (line 403) correctly clamps with std::min, but RLE paths skip this check. A crafted .pic file causes heap overflow up to 65535 bytes. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Published: 2026-05-14
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenImageIO’s Softimage PIC image decoder does not clamp the run length when decoding RLE data, allowing an attacker to craft a .pic file that overflows a heap buffer by up to 65,535 bytes. This flaw is a classic buffer overflow (CWE‑787) that can corrupt memory and potentially lead to arbitrary code execution or a denial‑of‑service condition when the malformed image is processed.

Affected Systems

AcademySoftwareFoundation OpenImageIO versions earlier than 3.0.18.0 and 3.1.13.0 are affected. The vulnerability resides in the softimageinput.cpp module, which handles Softimage PIC image files and fails to limit the RLE run length to the remaining scanline width.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity; the exploit probability is currently undocumented, but the lack of an entry in the KEV catalog and the nature of the vulnerability suggest that attackers could trigger the overflow by delivering a malicious .pic file to any application that processes image uploads, potentially leading to remote code execution if the vulnerability is exploitable in that context. The likely attack vector involves supplying or uploading a crafted .pic file to a vulnerable system. The vulnerability remains unpatched in older OpenImageIO releases, thus requiring immediate action to mitigate the risk of an attacker executing code or causing a crash.

Generated by OpenCVE AI on May 14, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenImageIO to version 3.0.18.0 or 3.1.13.0 or later, which includes the required boundary check.
  • Validate or sanitize all image files before processing by enforcing a maximum RLE run length that does not exceed the available scanline width, reducing the risk of a buffer overflow.
  • If support for Softimage PIC files is not needed, disable or remove the .pic image format handler to eliminate the vulnerable code path.

Generated by OpenCVE AI on May 14, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Openimageio
Openimageio openimageio
CPEs cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*
Vendors & Products Openimageio
Openimageio openimageio
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openimageio
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openimageio

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, softimageinput.cpp:469 (mixed RLE) and :345 (pure RLE) do not clamp the run length to remaining scanline width before writing pixels. The raw packet path (line 403) correctly clamps with std::min, but RLE paths skip this check. A crafted .pic file causes heap overflow up to 65535 bytes. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Title OpenImageIO: Softimage PIC RLE decoder heap buffer overflow — longCount not clamped to image width
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openimageio
Openimageio Openimageio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:09:52.348Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43904

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:06.240

Modified: 2026-05-15T19:42:58.830

Link: CVE-2026-43904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:15:25Z

Weaknesses