CVE-2026-43908

Academy Software Foundation · OpenImageIO

OpenImageIO is vulnerable to integer overflow and out-of-bounds write conditions that can lead to memory corruption when parsing malformed image files.

Executive summary

Academy Software Foundation OpenImageIO is affected by critical memory corruption vulnerabilities that could lead to unauthorized system access or denial of service.

Vulnerability

The software suffers from CWE-190 (Integer Overflow) and CWE-787 (Out-of-bounds Write) vulnerabilities. An unauthenticated attacker can exploit these issues by tricking a user into processing a malicious image file, resulting in memory corruption.

Business impact

The CVSS score of 8.8 highlights the severity of this vulnerability. Successful exploitation can result in the execution of arbitrary code with the privileges of the application, leading to potential data breaches and total loss of system integrity in VFX and animation environments.

Remediation

Immediate Action: Upgrade to OpenImageIO version 3.0.18.0, 3.1.13.0, or newer to resolve the underlying memory management flaws.

Proactive Monitoring: Review application error logs for segmentation faults or abnormal exit codes associated with image parsing modules.

Compensating Controls: Utilize sandboxed processing environments or restricted service accounts for image manipulation tasks to limit the impact of a potential exploit.

Exploitation status

Public Exploit Available: No (Exploit_available: unknown)

Analyst recommendation

Due to the severity of the potential impact, all affected installations of OpenImageIO should be updated to the patched versions as a matter of urgency. Ensure that all downstream dependencies are also updated to maintain consistency and security across the infrastructure.