CVE-2026-43909

Summary

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the loop index expression i * 4 inside SwapRGBABytes() causes the function to compute a large negative pointer offset when processing kABGR DPX images with large dimensions. The immediate crash is an out-of-bounds read (the memcpy at line 45 reads from &input[i * 4] first), but the subsequent write operations at lines 46–49 target the same wrapped offset — making this a combined OOB read+write primitive. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

Affected Software

VendorProductVersion RangeStatus
AcademySoftwareFoundationOpenImageIO< 3.0.18.0affected
AcademySoftwareFoundationOpenImageIO>= 3.1.4.0-beta, < 3.1.13.0affected

Weaknesses

  • CWE-125: CWE-125: Out-of-bounds Read
  • CWE-190: CWE-190: Integer Overflow or Wraparound
  • CWE-787: CWE-787: Out-of-bounds Write

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References