CVE-2022-43600

Name of the Vulnerable Software and Affected Versions OpenImageIO version 2.4.4.2

Description Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO. A specially crafted ImageOutput Object can lead to a heap buffer overflow. This issue arises when the xmax variable is set to 0xFFFF and m spec.format is TypeDesc::UINT16. An attacker can provide malicious input to trigger these vulnerabilities, potentially allowing remote access to confidential data, disruption of data integrity, and denial of service.

Recommendations For OpenImageIO version 2.4.4.2, consider disabling the IFFOutput::close() function until a patch is available to prevent exploitation. Restrict access to the IFFOutput component to minimize the risk of exploitation. Avoid using the xmax variable with a value of 0xFFFF and m spec.format set to TypeDesc::UINT16 in the affected ImageOutput Object until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.