VYPR
High severity8.8NVD Advisory· Published May 14, 2026· Updated May 15, 2026

CVE-2026-43908

CVE-2026-43908

Description

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the pixel-loop index expression i * 3 inside ConvertCbYCrYToRGB() causes the function to compute a large negative pointer offset into the output buffer, producing an out-of-bounds write that crashes the process. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

4
  • Range: <=3.0.17.0,>=3.1.0,<3.1.13.0
  • cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:openimageio:openimageio:*:*:*:*:*:*:*:*range: <3.0.18.0
    • cpe:2.3:a:openimageio:openimageio:3.2.0.0:dev:*:*:*:*:*:*
    • cpe:2.3:a:openimageio:openimageio:3.2.0.2:dev:*:*:*:*:*:*

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.