CVE-2026-43907 - Vulnerability Analysis
HighCVSS: 8.3Last Updated: May 14, 2026
OpenImageIO - Out of Bounds Read/Write
Published: May 14, 2026Updated: May 14, 2026Remote Exploitable
Overview
OpenImageIO < 3.0.18.0 and < 3.1.13.0 contains a heap-based out-of-bounds write caused by a signed integer overflow in QueryRGBBufferSizeInternal() when processing crafted DPX image files, letting attackers cause denial of service or remote code execution, exploit requires crafted DPX files.
Severity & Score
Severity: High
CVSS Score: 8.3
Impact
Attackers can cause application crashes or execute arbitrary code via crafted DPX files, potentially compromising systems using OpenImageIO.
Mitigation
Update to OpenImageIO 3.0.18.0 or 3.1.13.0 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-43907
- Severity
- High
- CVSS Score
- 8.3
- Type
- out_of_bounds_rw
- Status
- unconfirmed
CWE
- CWE-190
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H