Heap-based Buffer Overflow in OpenImageIO HEIF Decoder Affects Image Processing Tools
CVE-2026-43906

8.5HIGH

Key Information:

Vendor: Academysoftwarefoundation
Status: Openimageio
Vendor: CVE Published:; 14 May 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-43906?

A heap-based buffer overflow vulnerability exists in the HEIF decoder of OpenImageIO, affecting versions prior to 3.0.18.0 and 3.1.13.0. This issue arises from a mismatch in subimage metadata, allowing attackers to craft malicious images that trigger out-of-bounds writes. Such exploitation can lead to memory corruption and potential unauthorized code execution within the affected software. It is crucial for users to update to the patched versions to mitigate this risk.

Affected Version(s)

OpenImageIO < 3.0.18.0 < 3.0.18.0

OpenImageIO >= 3.1.4.0-beta, < 3.1.13.0 < 3.1.4.0-beta, 3.1.13.0

References

https://github.com/AcademySoftwareFoundation/OpenImageIO/...

x_refsource_CONFIRM

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43906 Data

JSON