Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, the bounds check in TGAInput::decode_pixel computes k + palbytespp as unsigned 32-bit arithmetic. When k = 0xFFFFFFFC and palbytespp = 4, the addition wraps to 0, which compares less than palette_alloc_size and passes the check. The subsequent palette access uses the unwrapped k (0xFFFFFFFC) as the index, reading ~4 GB past the start of the palette buffer — SEGV. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Published: 2026-05-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer wraparound in the bounds check of TGAInput::decode_pixel in OpenImageIO. When an attacker provides a TGA file with a palette index of 0xFFFFFFFC and a palette of 4 bytes per entry, the unsigned arithmetic overflow turns the sum into zero, passing the bounds check. The decoder then reads memory at offset 0xFFFFFFFC from the palette buffer, which is approximately 4 GB past the buffer’s start, causing an out‑of‑bounds read and a segmentation fault. The impact is a denial‑of‑service as the application or dependent process will crash when processing the malicious image. This flaw is identified as CWE‑125: Out‑of‑bounds Read.

Affected Systems

The issue affects the OpenImageIO toolset released by the AcademySoftwareFoundation. Versions prior to 3.0.18.0 and 3.1.13.0 are vulnerable. All builds that include the TGA paletted image decoder and do not apply the correction in those releases are affected.

Risk and Exploitability

The CVSS base score of 5.5 indicates medium severity. EPSS is not available, so a probability estimate is unknown. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by supplying a crafted TGA file; the vector is most likely remote if the OpenImageIO library is part of a network‑serviced application, or local if an unprivileged user can instruct the program to read an arbitrary file. The attack does not provide code execution but can be used to crash the target to achieve denial of service or to observe memory contents if the read leaks information. No special prerequisites beyond providing an untrusted TGA image are required.

Generated by OpenCVE AI on May 14, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenImageIO to version 3.0.18.0 or newer, or 3.1.13.0 or newer, which includes the bounds‑check fix.
  • If an upgrade is not immediately possible, restrict the use of the TGA image format to trusted sources and disable processing of TGA files from untrusted input where feasible.
  • Monitor applications that use OpenImageIO for crashes or segmentation faults when handling user‑supplied images and apply patches as soon as they become available.

Generated by OpenCVE AI on May 14, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Openimageio
Openimageio openimageio
CPEs cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*
cpe:2.3:a:openimageio:openimageio:3.2.0.0:dev:*:*:*:*:*:*
cpe:2.3:a:openimageio:openimageio:3.2.0.2:dev:*:*:*:*:*:*
Vendors & Products Openimageio
Openimageio openimageio

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openimageio
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openimageio

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, the bounds check in TGAInput::decode_pixel computes k + palbytespp as unsigned 32-bit arithmetic. When k = 0xFFFFFFFC and palbytespp = 4, the addition wraps to 0, which compares less than palette_alloc_size and passes the check. The subsequent palette access uses the unwrapped k (0xFFFFFFFC) as the index, reading ~4 GB past the start of the palette buffer — SEGV. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
Title OpenImageIO: Integer wraparound in bounds check of decode_pixel leads to out-of-bounds read in TGA paletted image decoder
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Academysoftwarefoundation Openimageio
Openimageio Openimageio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:08:26.307Z

Reserved: 2026-05-04T20:24:31.917Z

Link: CVE-2026-43996

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:07.300

Modified: 2026-05-15T18:05:36.320

Link: CVE-2026-43996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:15:25Z

Weaknesses