CVE-2026-43909
Academy Software Foundation · OpenImageIO
OpenImageIO contains memory safety vulnerabilities including out-of-bounds read/write and integer overflows, which can be triggered when processing maliciously crafted image files.
Executive summary
OpenImageIO is affected by multiple memory corruption vulnerabilities that could allow an unauthenticated attacker to achieve arbitrary code execution or cause a system crash.
Vulnerability
The application is susceptible to CWE-125 (Out-of-bounds Read), CWE-190 (Integer Overflow), and CWE-787 (Out-of-bounds Write) when parsing image files. These flaws allow an unauthenticated attacker to trigger memory corruption via a specially crafted image file, typically requiring user interaction to open the file.
Business impact
With a CVSS score of 8.8 (High), these vulnerabilities pose a significant risk to the confidentiality, integrity, and availability of systems utilizing OpenImageIO. Successful exploitation could lead to full system compromise or service disruption, particularly in production pipelines where VFX and animation assets are frequently processed.
Remediation
Immediate Action: Update OpenImageIO to version 3.0.18.0 or 3.1.13.0, or apply the relevant upstream fix commits provided by the vendor.
Proactive Monitoring: Monitor system logs for unexpected application crashes or abnormal memory usage patterns during image processing tasks.
Compensating Controls: Implement strict input validation or sandboxing for image processing workflows to prevent the loading of untrusted or malformed files.
Exploitation status
Public Exploit Available: No (Exploit_available: unknown)
Analyst recommendation
Given the potential for arbitrary code execution, organizations should prioritize patching OpenImageIO in all environments that handle external or untrusted image data. Apply the identified version updates immediately to mitigate the risk of memory-based exploitation.