CVE-2026-43905

HIGH

OpenImageIO: JPEG2000 (OpenJPH) signed integer overflow in buffer allocation

Title source: cna

Description

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, jpeg2000input.cpp:395 computes buffer size as const int bufsize = w * h * ch * buffer_bpp using signed 32-bit arithmetic. When the product exceeds INT_MAX, the result wraps to 0 or a small value. m_buf.resize() allocates an undersized buffer, and subsequent pixel write loops cause heap overflow. Conditional on USE_OPENJPH build flag. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-pj45-cf3g-28gq

Scores

CVSS v3 7.8

EPSS 0.0017

EPSS Percentile 6.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-190

Status published

Products (3)

AcademySoftwareFoundation/OpenImageIO < 3.0.18.0

AcademySoftwareFoundation/OpenImageIO >= 3.1.4.0-beta, < 3.1.13.0

openimageio/openimageio < 3.0.18.0

Published May 14, 2026

Tracked Since May 15, 2026