PT-2026-41022 · Unknown+2 · Openimageio+2

·

CVE-2026-43903

·

Published

2026-05-14

·

Updated

2026-06-17

CVSS v4.0

8.4

High

VectorAV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions OpenImageIO versions prior to 3.0.18.0 OpenImageIO versions prior to 3.1.13.0
Description OpenImageIO is a toolset for reading, writing, and manipulating image files for VFX and animation. A heap buffer overflow and crash can occur when processing a crafted .sgi file where the RLE (Run-Length Encoding) count exceeds the scanline width. This happens because the sgiinput.cpp file uses OIIO DASSERT for bounds checking in the RLE decode loop; in release builds, this macro is compiled as a no-op, effectively disabling the bounds checks.
Recommendations Update to version 3.0.18.0. Update to version 3.1.13.0.

Exploit

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43903
GHSA-JG3Q-VM3Q-2J35
USN-8438-1

Affected Products

Linuxmint
Openimageio
Ubuntu