CVE-2026-43903
Academy Software Foundation · OpenImageIO
An out-of-bounds write vulnerability in OpenImageIO allows for memory corruption when handling malformed image files, potentially resulting in application crashes or unauthorized code execution.
Executive summary
A critical out-of-bounds write vulnerability in Academy Software Foundation OpenImageIO could allow an attacker to achieve total system impact via maliciously crafted image files.
Vulnerability
This vulnerability is an out-of-bounds write (CWE-787) triggered during the processing of image data. The attack is unauthenticated and requires a user to interact with a malicious file to initiate the vulnerability.
Business impact
The ability to perform an out-of-bounds write allows an attacker to corrupt program state or execute arbitrary code, creating a high risk to the confidentiality and integrity of the host system. The CVSS score of 7.8 underscores the necessity of addressing this flaw to prevent unauthorized access or service disruption in production VFX environments.
Remediation
Immediate Action: Upgrade to OpenImageIO version 3.0.18.0 or 3.1.13.0 as soon as possible to mitigate this risk.
Proactive Monitoring: Review application logs for errors related to file parsing or unexpected termination of image processing services.
Compensating Controls: Employ security tools to detect and block malformed files before they reach the processing engine, and ensure that the application runs with the minimum necessary privileges.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Organizations should treat this update with high urgency. Patching the library is the most effective way to address the underlying memory corruption risk and prevent potential exploitation.