Heap Overflow Vulnerability in OpenImageIO Affects Image Manipulation Tools
CVE-2026-43904

8.4HIGH

Key Information:

Vendor: Academysoftwarefoundation
Status: Openimageio
Vendor: CVE Published:; 14 May 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-43904?

OpenImageIO, a versatile toolset for reading, writing, and manipulating various image file formats, is vulnerable to a heap overflow issue due to improper handling of run lengths in RLE compression paths. Specifically, the softimageinput.cpp code does not properly clamp the run length to the remaining width of the scanline before writing pixels, leaving the software open to potential exploitation via crafted .pic files. This flaw can result in a heap overflow of up to 65535 bytes, posing significant security risks. The vulnerability has been addressed in versions 3.0.18.0 and 3.1.13.0, and users are urged to upgrade to these versions to mitigate any risks.

Affected Version(s)

OpenImageIO < 3.0.18.0 < 3.0.18.0

OpenImageIO >= 3.1.4.0-beta, < 3.1.13.0 < 3.1.4.0-beta, 3.1.13.0

References

https://github.com/AcademySoftwareFoundation/OpenImageIO/...

x_refsource_CONFIRM

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43904 Data

JSON