How to break ImageIO with a single .exr file

Billy Ellis (ZygoSec, London) has published a PoC research demonstrating an integer overflow vulnerability in Apple's ImageIO — the framework used by macOS and iOS to process image files.

When decoding OpenEXR (.exr) images, the decodeBlockAppleEXR function calculates the dataWindow buffer size as width × height. By choosing specific values, an attacker can trigger an integer overflow that wraps the result to zero. As a result, malloc allocates only 16 bytes of memory, while a subsequent call to AppleEXRDestinationNotBigEnough attempts to write a NULL byte to the end of the allocated buffer.
Roughly 20% of the time, the target address points to valid memory, allowing the NULL byte write to succeed and the process to continue running with corrupted memory.

🎯Why it matters: this vulnerability can lead to memory corruption ranging from denial of service (DoS) to potential remote code execution (RCE). The attack can be triggered through any app that relies on ImageIO, including messengers, mail clients, browsers, and file preview services.

🛠Apple patched the issue in iOS/macOS 26.5 (May 11, 2026)

🦠The PoC is likely related to either CVE‑2026‑43661 or CVE‑2026‑28990

🔗Article: https://zygosec.com/blog ⚙️PoC: https://github.com/Billy-Ellis/exr-imageio-poc

💬 Discuss