CVE-2026-43907

Name of the Vulnerable Software and Affected Versions OpenImageIO versions prior to 3.0.18.0 OpenImageIO versions prior to 3.1.13.0

Description A signed integer overflow exists in the QueryRGBBufferSizeInternal() function within DPXColorConverter.cpp when processing crafted DPX image files. The function uses 32-bit signed integer arithmetic with negative multipliers to compute buffer sizes; however, a sufficiently large pixel count can cause the multiplication to overflow INT MIN and wrap to a small positive value. The system interprets this value as the required buffer size and allocates an undersized heap buffer via m decodebuf.resize(). Subsequently, writing the full image data via fread results in a heap-based out-of-bounds write. This can lead to a denial of service or potentially arbitrary code execution through heap corruption.

Recommendations Update to version 3.0.18.0. Update to version 3.1.13.0.