CVE-2026-43907

Exploit

EPSS 0.04%
Veröffentlicht 14.05.2026 19:07:05
Zuletzt bearbeitet 15.05.2026 19:43:22
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenImageIO: Integer overflow in QueryRGBBufferSizeInternal leads to heap out-of-bounds write in DPX decoder (kCbYCr and kABGR)

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openimageio ≫ Openimageio Version < 3.0.18.0

Openimageio ≫ Openimageio Version >= 3.1.4.0 < 3.1.13.0

Openimageio ≫ Openimageio Version3.2.0.2 Updatedev

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.119

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.3	2.8	5.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-cq46-hp4h-cvfr

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-43907

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43907

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43907

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-43907