CVE-2022-43598

Name of the Vulnerable Software and Affected Versions OpenImageIO versions 2.4.4.2

Description The issue is related to a memory buffer overflow in the IFFOutput component of the OpenImageIO library. This can allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service using a specially crafted file. The vulnerability arises when the m spec.format is TypeDesc::UINT16, allowing for arbitrary code execution through a specially crafted ImageOutput Object.

Recommendations For OpenImageIO version 2.4.4.2, consider disabling the IFFOutput alignment padding functionality until a patch is available to prevent exploitation. Restrict access to the vulnerable component to minimize the risk of arbitrary code execution. Avoid using the m spec.format as TypeDesc::UINT16 in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.