CVE-2026-43908
Academy Software Foundation · OpenImageIO
OpenImageIO is vulnerable to integer overflow and out-of-bounds write conditions that can lead to memory corruption when parsing malformed image files.
Executive summary
Academy Software Foundation OpenImageIO is affected by critical memory corruption vulnerabilities that could lead to unauthorized system access or denial of service.
Vulnerability
The software suffers from CWE-190 (Integer Overflow) and CWE-787 (Out-of-bounds Write) vulnerabilities. An unauthenticated attacker can exploit these issues by tricking a user into processing a malicious image file, resulting in memory corruption.
Business impact
The CVSS score of 8.8 highlights the severity of this vulnerability. Successful exploitation can result in the execution of arbitrary code with the privileges of the application, leading to potential data breaches and total loss of system integrity in VFX and animation environments.
Remediation
Immediate Action: Upgrade to OpenImageIO version 3.0.18.0, 3.1.13.0, or newer to resolve the underlying memory management flaws.
Proactive Monitoring: Review application error logs for segmentation faults or abnormal exit codes associated with image parsing modules.
Compensating Controls: Utilize sandboxed processing environments or restricted service accounts for image manipulation tasks to limit the impact of a potential exploit.
Exploitation status
Public Exploit Available: No (Exploit_available: unknown)
Analyst recommendation
Due to the severity of the potential impact, all affected installations of OpenImageIO should be updated to the patched versions as a matter of urgency. Ensure that all downstream dependencies are also updated to maintain consistency and security across the infrastructure.