CVE-2026-43907

Academy Software Foundation · OpenImageIO

OpenImageIO contains integer overflow and out-of-bounds write vulnerabilities that can be triggered through the processing of maliciously crafted image file formats.

Executive summary

Academy Software Foundation OpenImageIO is vulnerable to critical memory corruption flaws that may allow an unauthenticated attacker to compromise the integrity and availability of the host system.

Vulnerability

The library is vulnerable to CWE-190 (Integer Overflow) and CWE-787 (Out-of-bounds Write) due to improper validation of input data. An unauthenticated attacker can trigger these conditions via malicious image files, which may lead to memory corruption or arbitrary code execution.

Business impact

With a CVSS score of 8.3, this vulnerability represents a significant threat to production environments. Exploitation could lead to unauthorized access or the complete disruption of rendering and animation pipelines, causing significant operational downtime and potential data loss.

Remediation

Immediate Action: Apply the vendor-provided security updates by upgrading OpenImageIO to version 3.0.18.0 or 3.1.13.0.

Proactive Monitoring: Monitor memory consumption and application stability when processing high volumes of image data from external sources.

Compensating Controls: Deploy Web Application Firewalls (WAF) or file integrity monitoring tools to detect or block the transfer of malformed or suspicious image files.

Exploitation status

Public Exploit Available: No (Exploit_available: unknown)

Analyst recommendation

The risk posed by these memory-related vulnerabilities requires immediate administrative attention. Administrators must update the OpenImageIO library to the latest patched version to ensure full protection against potential exploitation attempts.