Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the loop index expression i * 4 inside SwapRGBABytes() causes the function to compute a large negative pointer offset when processing kABGR DPX images with large dimensions. The immediate crash is an out-of-bounds read (the memcpy at line 45 reads from &input[i * 4] first), but the subsequent write operations at lines 46–49 target the same wrapped offset — making this a combined OOB read+write primitive. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A signed 32‑bit integer overflow occurs in OpenImageIO's SwapRGBABytes() function when decoding DPX ABGR images with large dimensions. The overflow causes i * 4 to wrap around, resulting in an out‑of‑bounds read followed by writes to the same negative offset, giving the application a combined OOB read and write primitive that can crash the program.

Affected Systems

The vulnerability affects the AcademySoftwareFoundation OpenImageIO library in all releases prior to 3.0.18.0 and 3.1.13.0. Any installation that processes DPX ABGR images with large dimensions using these versions is exposed. The problem is fixed in 3.0.18.0 and 3.1.13.0.

Risk and Exploitability

The CVSS score of 8.8 signals a high‑severity flaw. No EPSS score is available and the vulnerability is not listed in CISA's KEV catalog. An attacker can trigger the issue by providing a maliciously dimensioned DPX file, which may be supplied locally or indirectly through a media‑processing pipeline, leading to memory corruption or denial of service.

Generated by OpenCVE AI on May 14, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading OpenImageIO to version 3.0.18.0 or later 3.1.13.0 to eliminate the signed integer overflow.
  • If an upgrade is not immediately possible, validate or constrain input DPX files so that image dimensions remain within safe bounds before decoding.
  • Continuously monitor system logs for abnormal crashes or memory corruption events and apply subsequent updates from the AcademySoftwareFoundation as they become available.

Generated by OpenCVE AI on May 14, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Openimageio
Openimageio openimageio
CPEs cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*
cpe:2.3:a:openimageio:openimageio:3.2.0.0:dev:*:*:*:*:*:*
cpe:2.3:a:openimageio:openimageio:3.2.0.2:dev:*:*:*:*:*:*
Vendors & Products Openimageio
Openimageio openimageio

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the loop index expression i * 4 inside SwapRGBABytes() causes the function to compute a large negative pointer offset when processing kABGR DPX images with large dimensions. The immediate crash is an out-of-bounds read (the memcpy at line 45 reads from &input[i * 4] first), but the subsequent write operations at lines 46–49 target the same wrapped offset — making this a combined OOB read+write primitive. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Title OpenImageIO: Signed integer overflow in SwapRGBABytes loop index leads to out-of-bounds read/write in DPX ABGR decoder
Weaknesses CWE-125
CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Openimageio Openimageio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:49:59.966Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43909

cve-icon Vulnrichment

Updated: 2026-05-14T19:37:22.736Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:07.063

Modified: 2026-05-15T18:07:20.507

Link: CVE-2026-43909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:45:28Z

Weaknesses