CVE-2026-43905

Academy Software Foundation · OpenImageIO

An integer overflow vulnerability in OpenImageIO allows for potential memory corruption when processing malformed image files, leading to a crash or potential arbitrary code execution.

Executive summary

A critical integer overflow vulnerability exists in Academy Software Foundation OpenImageIO, which could allow an attacker to achieve total system impact via maliciously crafted image files.

Vulnerability

This vulnerability is an integer overflow (CWE-190) occurring during the parsing of image files. The attack requires local access and user interaction (opening a malicious file), and the attacker does not require specific privileges.

Business impact

Successful exploitation of this integer overflow can lead to a complete compromise of the application context, potentially resulting in unauthorized data access or system instability. While the CVSS score of 7.8 indicates a high severity, the ability to trigger memory corruption poses a significant risk to high-availability VFX and animation production pipelines.

Remediation

Immediate Action: Update OpenImageIO to version 3.0.18.0 or 3.1.13.0, or the latest available stable release, to patch the integer overflow flaw.

Proactive Monitoring: Monitor system logs for unexpected application crashes or memory access violations that may indicate attempts to trigger the overflow.

Compensating Controls: Implement strict input validation or sandboxing for any automated image processing workflows to limit the impact of processing untrusted files.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The vulnerability represents a significant risk to the integrity of systems processing visual media. Administrators should prioritize patching OpenImageIO within their development and production environments to neutralize this memory corruption vector.