Integer Overflow Vulnerability in OpenImageIO Affects Image Processing
CVE-2026-43908

8.8HIGH

Key Information:

Vendor: Academysoftwarefoundation
Status: Openimageio
Vendor: CVE Published:; 14 May 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-43908?

The OpenImageIO toolset, used for reading, writing, and manipulating various image file formats in visual effects and animation, is affected by an integer overflow vulnerability. Specifically, a flaw within the ConvertCbYCrYToRGB() function results in a signed 32-bit integer overflow in the pixel-loop index calculation, which can lead to an out-of-bounds write. This issue may crash the application or expose it to potential exploits. The vulnerability is resolved in versions 3.0.18.0 and 3.1.13.0, and users should upgrade to these versions to ensure system integrity.

Affected Version(s)

OpenImageIO < 3.0.18.0 < 3.0.18.0

OpenImageIO >= 3.1.4.0-beta, < 3.1.13.0 < 3.1.4.0-beta, 3.1.13.0

References

https://github.com/AcademySoftwareFoundation/OpenImageIO/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43908 Data

JSON