CVE-2026-43907: CWE-190: Integer Overflow or Wraparound in AcademySoftwareFoundation OpenImageIO
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
AI Analysis
Technical Summary
OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 contain a signed integer overflow vulnerability in the QueryRGBBufferSizeInternal() function within DPXColorConverter.cpp. The function calculates buffer sizes using 32-bit signed integer arithmetic with negative multipliers. When processing large pixel counts, the multiplication overflows INT_MIN and wraps to a small positive value, which is misinterpreted as a required buffer size. This leads to allocation of an undersized heap buffer and subsequent heap buffer overflow during fread operations in dpxinput.cpp. An attacker can exploit this by crafting malicious DPX image files to cause heap corruption, potentially leading to denial of service or arbitrary code execution in applications that use OpenImageIO to read pixel data. The issue is addressed in OpenImageIO versions 3.0.18.0 and 3.1.13.0.
Potential Impact
The vulnerability allows attackers to cause a heap buffer overflow by supplying crafted DPX image files to vulnerable OpenImageIO versions. This can result in application crashes (denial of service) or potentially arbitrary code execution due to heap corruption. The CVSS score of 8.3 reflects high impact with network attack vector, low attack complexity, no privileges required, user interaction required, and high integrity and availability impacts.
Mitigation Recommendations
The vulnerability is fixed in OpenImageIO versions 3.0.18.0 and 3.1.13.0. Users and organizations should upgrade to these or later versions to remediate the issue. Since this is not a cloud service, remediation depends on applying these updates to affected systems. Patch status is inferred from fixed version availability; check the vendor's official advisory for confirmation and detailed upgrade instructions.
CVE-2026-43907: CWE-190: Integer Overflow or Wraparound in AcademySoftwareFoundation OpenImageIO
Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 contain a signed integer overflow vulnerability in the QueryRGBBufferSizeInternal() function within DPXColorConverter.cpp. The function calculates buffer sizes using 32-bit signed integer arithmetic with negative multipliers. When processing large pixel counts, the multiplication overflows INT_MIN and wraps to a small positive value, which is misinterpreted as a required buffer size. This leads to allocation of an undersized heap buffer and subsequent heap buffer overflow during fread operations in dpxinput.cpp. An attacker can exploit this by crafting malicious DPX image files to cause heap corruption, potentially leading to denial of service or arbitrary code execution in applications that use OpenImageIO to read pixel data. The issue is addressed in OpenImageIO versions 3.0.18.0 and 3.1.13.0.
Potential Impact
The vulnerability allows attackers to cause a heap buffer overflow by supplying crafted DPX image files to vulnerable OpenImageIO versions. This can result in application crashes (denial of service) or potentially arbitrary code execution due to heap corruption. The CVSS score of 8.3 reflects high impact with network attack vector, low attack complexity, no privileges required, user interaction required, and high integrity and availability impacts.
Mitigation Recommendations
The vulnerability is fixed in OpenImageIO versions 3.0.18.0 and 3.1.13.0. Users and organizations should upgrade to these or later versions to remediate the issue. Since this is not a cloud service, remediation depends on applying these updates to affected systems. Patch status is inferred from fixed version availability; check the vendor's official advisory for confirmation and detailed upgrade instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T16:11:33.086Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a062489ec166c07b00b4bdc
Added to database: 5/14/2026, 7:37:45 PM
Last enriched: 5/14/2026, 7:52:08 PM
Last updated: 5/15/2026, 7:28:33 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.