Heap Buffer Overflow in OpenImageIO Affects Image File Handling
CVE-2026-43903

8.4HIGH

Key Information:

Vendor: Academysoftwarefoundation
Status: Openimageio
Vendor: CVE Published:; 14 May 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-43903?

OpenImageIO, a versatile toolset for reading and manipulating various image file formats, has a vulnerability in its handling of RLE-encoded .sgi files. Specifically, prior to versions 3.0.18.0 and 3.1.13.0, the code fails to properly conduct bounds checks in the RLE decoding loop due to the optimization of OIIO_DASSERT in release builds. This oversight allows for a crafted .sgi file with an RLE count that exceeds the scanline width to trigger a heap buffer overflow, potentially leading to application crashes. Users are encouraged to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

OpenImageIO < 3.0.18.0 < 3.0.18.0

OpenImageIO >= 3.1.4.0-beta, < 3.1.13.0 < 3.1.4.0-beta, 3.1.13.0

References

https://github.com/AcademySoftwareFoundation/OpenImageIO/...

x_refsource_CONFIRM

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43903 Data

JSON