Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Published: 2026-05-14
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenImageIO is a widely used toolset for reading, writing, and manipulating image files in VFX and animation pipelines. A signed integer overflow occurs in the function QueryRGBBufferSizeInternal() in DPXColorConverter.cpp; the overflow results from using 32‑bit signed arithmetic with negative multipliers for certain DPX descriptors. When the pixel count is large enough, the multiplication wraps around to a small positive value, which the caller interprets as a safe buffer size. The library then allocates a buffer that is far too small and writes the entire image into it, creating a heap out‑of‑bounds write. An attacker can exploit this by crafting a malicious DPX file, causing the application that reads the file to crash or, worse, to execute arbitrary code through heap corruption. The vulnerability exists in all OpenImageIO releases older than versions 3.0.18.0 and 3.1.13.0, which are commonly deployed in animation and visual‑effects workflows.

Affected Systems

The affected product is OpenImageIO from the Academy Software Foundation. Any application that embeds or links to this library and processes DPX image files—particularly those using the kCbYCr or kABGR color descriptors—could be impacted. Versions released before 3.0.18.0 and before 3.1.13.0 are vulnerable and require upgrade to the patched releases cited above.

Risk and Exploitability

The CVSS score of 8.3 highlights a severe vulnerability. The EPSS score is currently not available, and the issue is not listed in CISA’s KEV catalog, indicating no known widespread exploitation at this time. However, because the flaw manifests only when a specially crafted DPX file is processed, a likely attack vector is the delivery of malicious image files through any channel that the application reads from—whether local, network, or file‑system based. Exploitation requires the application to run with sufficient privileges to execute heap‑corrupted code. Given the high impact and the lack of mitigations in affected releases, the risk is significant for environments that routinely process DPX imagery.

Generated by OpenCVE AI on May 14, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenImageIO to version 3.0.18.0 or later to apply the patch that fixes the integer overflow.
  • If an upgrade cannot be performed immediately, enforce stricter input validation by rejecting large DPX files or those that cannot be parsed correctly before allocating buffers.
  • Run applications that use OpenImageIO with reduced privileges or inside a sandboxed environment to contain potential heap corruption from malicious files.

Generated by OpenCVE AI on May 14, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Openimageio
Openimageio openimageio
CPEs cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*
cpe:2.3:a:openimageio:openimageio:3.2.0.2:dev:*:*:*:*:*:*
Vendors & Products Openimageio
Openimageio openimageio

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openimageio
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openimageio

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Title OpenImageIO: Integer overflow in QueryRGBBufferSizeInternal leads to heap out-of-bounds write in DPX decoder (kCbYCr and kABGR)
Weaknesses CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H'}

Subscriptions

Academysoftwarefoundation Openimageio
Openimageio Openimageio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:49:08.595Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43907

cve-icon Vulnrichment

Updated: 2026-05-14T19:48:57.668Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:06.760

Modified: 2026-05-15T19:43:22.767

Link: CVE-2026-43907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:15:25Z

Weaknesses