Heap Buffer Overflow Vulnerability in OpenImageIO Affecting Image Processing Applications
CVE-2026-43907

8.3HIGH

Key Information:

Vendor: Academysoftwarefoundation
Status: Openimageio
Vendor: CVE Published:; 14 May 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-43907?

OpenImageIO is a powerful toolset used for reading, writing, and manipulating various image formats. A vulnerability has been identified in versions prior to 3.0.18.0 and 3.1.13.0, where a signed integer overflow can occur in the function QueryRGBBufferSizeInternal() in DPXColorConverter.cpp. This issue arises during the processing of specially crafted DPX image files, leading to a buffer size that is erroneously computed as a small positive value. When this happens, an inadequate heap buffer is allocated, which could result in a heap buffer overflow upon writing image data. An attacker can exploit this vulnerability, potentially leading to application crashes or arbitrary code execution when the affected applications parse malicious DPX files. The flaw has been addressed in the aforementioned versions.

Affected Version(s)

OpenImageIO < 3.0.18.0 < 3.0.18.0

OpenImageIO >= 3.1.4.0-beta, < 3.1.13.0 < 3.1.4.0-beta, 3.1.13.0

References

https://github.com/AcademySoftwareFoundation/OpenImageIO/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43907 Data

JSON