CVE-2026-43904
Academy Software Foundation · OpenImageIO
An out-of-bounds write vulnerability in OpenImageIO allows for memory corruption when handling malformed image files, potentially leading to arbitrary code execution.
Executive summary
A critical out-of-bounds write vulnerability in Academy Software Foundation OpenImageIO could allow an attacker to achieve total system impact via maliciously crafted image files.
Vulnerability
This vulnerability is an out-of-bounds write (CWE-787) occurring when the software processes image data. The flaw is triggered via user interaction with a malicious file and does not require attacker authentication.
Business impact
Out-of-bounds write vulnerabilities are highly dangerous as they allow attackers to overwrite critical memory regions, potentially leading to full application control. A CVSS score of 7.8 accurately reflects the high risk to data integrity and system availability in environments that rely on OpenImageIO for critical rendering and transcoding tasks.
Remediation
Immediate Action: Update OpenImageIO to version 3.0.18.0 or 3.1.13.0 to resolve the memory corruption vulnerability.
Proactive Monitoring: Monitor for abnormal memory usage or segmentation faults in applications utilizing the OpenImageIO library.
Compensating Controls: Use memory-safe wrappers or restrict the execution environment of the image-processing component to prevent unauthorized memory access.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the severity of potential memory corruption, it is imperative to apply the provided software updates immediately. Ensure all downstream applications that bundle the OpenImageIO library are also recompiled or updated with the patched version.