CVE-2022-36354

MEDIUM

OpenImageIO master-branch-9aeece7a/v2.3.19.0 - Info Disclosure

Title source: llm

Description

A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.

References (1)

[Exploit, Third Party Advisory] https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629

Scores

CVSS v3 5.3

EPSS 0.0014

EPSS Percentile 34.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-193

Status published

Products (2)

debian/debian_linux 11.0

openimageio/openimageio 2.3.19.0

Published Dec 22, 2022

Tracked Since Feb 18, 2026