CVE-2022-43599

Name of the Vulnerable Software and Affected Versions OpenImageIO version 2.4.4.2

Description Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities. This issue arises when the xmax variable is set to 0xFFFF and m spec.format is TypeDesc::UINT8. The vulnerability can allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service using a specially crafted file.

Recommendations For OpenImageIO version 2.4.4.2, as a temporary workaround, consider disabling the IFFOutput::close() function until a patch is available. Restrict access to the IFFOutput component to minimize the risk of exploitation. Avoid using the xmax variable with a value of 0xFFFF and m spec.format set to TypeDesc::UINT8 in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.