CVE-2022-43597

Name of the Vulnerable Software and Affected Versions OpenImageIO versions 2.4.4.2

Description Multiple memory corruption vulnerabilities exist in the IFFOutput alignment padding functionality of OpenImageIO Project OpenImageIO. A specially crafted ImageOutput Object can lead to arbitrary code execution. An attacker can provide malicious input to trigger these vulnerabilities. This vulnerability arises when the m spec.format is TypeDesc::UINT8. The issue is related to a buffer overflow in memory, which can allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service using a specially crafted file.

Recommendations For OpenImageIO version 2.4.4.2, consider disabling the IFFOutput alignment padding functionality until a patch is available. Restrict access to the vulnerable m spec.format when it is set to TypeDesc::UINT8 to minimize the risk of exploitation. Avoid using the m spec.format variable with the value TypeDesc::UINT8 in the affected ImageOutput Object until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.