Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, jpeg2000input.cpp:395 computes buffer size as const int bufsize = w * h * ch * buffer_bpp using signed 32-bit arithmetic. When the product exceeds INT_MAX, the result wraps to 0 or a small value. m_buf.resize() allocates an undersized buffer, and subsequent pixel write loops cause heap overflow. Conditional on USE_OPENJPH build flag. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Published: 2026-05-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A signed 32‑bit integer overflow occurs in the JPEG2000 input handler when calculating the buffer size from image dimensions, channels, and bit depth. The resulting wrap‑around yields an undersized allocation, and subsequent pixel writes overflow the heap. This vulnerability maps to CWE‑190 and can corrupt memory, leading to crashes, denial‑of‑service, or potentially arbitrary code execution if the corrupt data can be controlled by an attacker.

Affected Systems

The flaw is present in OpenImageIO releases prior to 3.0.18.0 and 3.1.13.0, as distributed by the AcademySoftwareFoundation. It only manifests in builds compiled with the USE_OPENJPH flag enabled, which handles JPEG2000 (OpenJPH) files.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity impact under the Common Vulnerability Scoring System. EPSS is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to supply a JPEG2000 image with dimensions that overflow the signed 32‑bit multiplication; if the application processes such images from an untrusted source, the overflow could be triggered remotely or locally.

Generated by OpenCVE AI on May 14, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenImageIO to version 3.0.18.0 or later 3.1.13.0 to apply the official fix.
  • If an immediate upgrade is not feasible, disable the USE_OPENJPH build flag or configure the application to reject JPEG2000 images from untrusted users.
  • Implement defensive checks that validate image dimensions and multiplication results before allocating buffers to prevent signed integer overflow.

Generated by OpenCVE AI on May 14, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Openimageio
Openimageio openimageio
CPEs cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*
Vendors & Products Openimageio
Openimageio openimageio
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openimageio
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openimageio

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, jpeg2000input.cpp:395 computes buffer size as const int bufsize = w * h * ch * buffer_bpp using signed 32-bit arithmetic. When the product exceeds INT_MAX, the result wraps to 0 or a small value. m_buf.resize() allocates an undersized buffer, and subsequent pixel write loops cause heap overflow. Conditional on USE_OPENJPH build flag. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Title OpenImageIO: JPEG2000 (OpenJPH) signed integer overflow in buffer allocation
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openimageio
Openimageio Openimageio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:37:10.139Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43905

cve-icon Vulnrichment

Updated: 2026-05-14T19:35:51.000Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:06.447

Modified: 2026-05-15T19:43:11.100

Link: CVE-2026-43905

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:15:25Z

Weaknesses