CVE-2026-43996

MEDIUM 5.5

OpenImageIO: Integer wraparound in bounds check of decode_pixel leads to out-of-bounds read in TGA paletted image decoder

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, the bounds check in TGAInput::decode_pixel computes k + palbytespp as unsigned 32-bit arithmetic. When k = 0xFFFFFFFC and palbytespp = 4, the addition wraps to 0, which compares less than palette_alloc_size and passes the check. The subsequent palette access uses the unwrapped k (0xFFFFFFFC) as the index, reading ~4 GB past the start of the palette buffer — SEGV. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

CWE	CWE-125
Vendor	academysoftwarefoundation
Product	openimageio
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for academysoftwarefoundation openimageio

Be the first to know when new medium vulnerabilities affecting academysoftwarefoundation openimageio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

AcademySoftwareFoundation / OpenImageIO

< 3.0.18.0 >= 3.1.4.0-beta, < 3.1.13.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-mq8j-73c4-cr55