Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the pixel-loop index expression i * 3 inside ConvertCbYCrYToRGB() causes the function to compute a large negative pointer offset into the output buffer, producing an out-of-bounds write that crashes the process. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a signed 32‑bit integer overflow in the pixel-loop index expression used by ConvertCbYCrYToRGB() when decoding DPX 4:2:2 files. The overflow causes the computed index to become a large negative value, which the code then uses to write to the output buffer. Because the buffer pointer moves outside its allocated bounds, the write corrupts heap memory and crashes the process. The vulnerability is classified as a memory corruption flaw (CWE‑190) that also manifests as an out‑of‑bounds write (CWE‑787). The impact is a denial‑of‑service condition; if an attacker can supply a crafted DPX file, they can force an application that relies on OpenImageIO to crash.

Affected Systems

The affected vendor is the Academy Software Foundation, and the product is OpenImageIO. Versions prior to 3.0.18.0 in the 3.0 line and prior to 3.1.13.0 in the 3.1 line contain the flaw. The issue exists in the DPX 4:2:2 decoder component and affects any installation that uses that decoder. No other product lines or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. While no EPSS score is available, the lack of a KEV listing suggests no publicly known exploitation yet. However, the flaw can be triggered by any process that parses a malicious DPX file, so an attacker with the ability to supply such a file can cause a crash. The exploitation path requires only a crafted file, so the vulnerability is likely to be leveraged locally through a supply chain or a user‑initiated import. Administrators should treat it as a high-risk issue pending patch.

Generated by OpenCVE AI on May 14, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenImageIO to version 3.0.18.0 or later in the 3.0 series, or to 3.1.13.0 or later in the 3.1 series.
  • If an upgrade cannot be performed immediately, restrict the use of DPX 4:2:2 decoding to trusted sources or disable it entirely in your image processing workflow until a patch is available.
  • Audit your image ingestion pipeline to ensure that only authenticated, signed, or otherwise validated image files are processed, reducing the chance that a malicious DPX file can reach the decoder.

Generated by OpenCVE AI on May 14, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Openimageio
Openimageio openimageio
CPEs cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*
cpe:2.3:a:openimageio:openimageio:3.2.0.0:dev:*:*:*:*:*:*
cpe:2.3:a:openimageio:openimageio:3.2.0.2:dev:*:*:*:*:*:*
Vendors & Products Openimageio
Openimageio openimageio

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openimageio
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openimageio

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the pixel-loop index expression i * 3 inside ConvertCbYCrYToRGB() causes the function to compute a large negative pointer offset into the output buffer, producing an out-of-bounds write that crashes the process. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Title OpenImageIO: Signed integer overflow in ConvertCbYCrYToRGB leads to heap out-of-bounds write in DPX 4:2:2 decoder
Weaknesses CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Academysoftwarefoundation Openimageio
Openimageio Openimageio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:14:06.187Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43908

cve-icon Vulnrichment

Updated: 2026-05-15T14:13:41.779Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:06.920

Modified: 2026-05-15T18:07:55.057

Link: CVE-2026-43908

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:15:25Z

Weaknesses