CVE-2026-42450
OpenColorIO vulnerable to stack buffer overflow via unbounded `sscanf %s` in Spi3D (.spi3d) LUT parser
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when parsing LUT data lines. Input comes from `lineBuffer[4096]`, so a crafted .spi3d file can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the issue.
| CWE | CWE-120 |
| Vendor | academysoftwarefoundation |
| Product | opencolorio |
| Published | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for academysoftwarefoundation opencolorio
Be the first to know when new unknown vulnerabilities affecting academysoftwarefoundation opencolorio are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
AcademySoftwareFoundation / OpenColorIO
< 2.5.2