Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a heap-based buffer overflow in the HEIF decoder of OpenImageIO allows out-of-bounds writes via crafted images due to a subimage metadata mismatch, leading to memory corruption and potential code execution. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Published: 2026-05-14
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenImageIO contains a heap-based buffer overflow in its HEIF decoder. A crafted HEIF image can trigger an out-of-bounds write that corrupts memory and enables an attacker to execute arbitrary code.

Affected Systems

All releases of OpenImageIO older than 3.0.18.0 and 3.1.13.0, produced by the Academy Software Foundation and used in VFX and animation image processing pipelines, are affected.

Risk and Exploitability

The CVSS score is 8.5, indicating high severity. No EPSS data is available so the exploitation probability is unknown, and the vulnerability is not listed in CISA's KEV catalog. The attacker can exploit the flaw by providing a malicious HEIF file that the software processes—most likely via a remote upload or an embedded link in an email. The attack vector is inferred as remote image ingestion.

Generated by OpenCVE AI on May 14, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenImageIO to version 3.0.18.0 or newer
  • Upgrade OpenImageIO to version 3.1.13.0 or newer
  • Avoid processing untrusted HEIF images until the patch is applied

Generated by OpenCVE AI on May 14, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Openimageio
Openimageio openimageio
CPEs cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*
cpe:2.3:a:openimageio:openimageio:3.2.0.2:dev:*:*:*:*:*:*
Vendors & Products Openimageio
Openimageio openimageio
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a heap-based buffer overflow in the HEIF decoder of OpenImageIO allows out-of-bounds writes via crafted images due to a subimage metadata mismatch, leading to memory corruption and potential code execution. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Title OpenImageIO: HEIF Heap overflow
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openimageio Openimageio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:36:58.994Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43906

cve-icon Vulnrichment

Updated: 2026-05-15T14:35:22.386Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:06.607

Modified: 2026-05-15T19:42:27.830

Link: CVE-2026-43906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses