CVE-2026-43909: OpenImageIO Vulnerability Exposes Apps to OOB Read/Write
The National Vulnerability Database reports CVE-2026-43909 affecting OpenImageIO, a critical toolset for VFX and animation image file manipulation. This vulnerability, rated 8.8 (HIGH) on the CVSS scale, stems from a signed 32-bit integer overflow within the SwapRGBABytes() function. Specifically, when processing large kABGR DPX images, the loop index calculation i * 4 can result in a large negative pointer offset.
This flaw initially manifests as an out-of-bounds read, but the subsequent write operations target the same wrapped memory address. This creates a combined out-of-bounds read/write primitive, a dangerous capability for attackers. Such primitives can lead to arbitrary code execution, denial of service, or information disclosure, depending on how an attacker leverages the memory corruption.
OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 are vulnerable. Defenders must prioritize patching to these versions immediately. Given OpenImageIO’s role in media production pipelines, any application or service relying on it is directly exposed. Attackers will view this as a prime target for supply chain compromise or targeted attacks against media and entertainment organizations.
What This Means For You
- If your organization uses OpenImageIO in any part of your image processing pipeline, you are exposed. This isn't just a crash; it's a read/write primitive that attackers can weaponize for code execution. Identify all systems running OpenImageIO, verify their versions, and patch to 3.0.18.0 or 3.1.13.0 without delay. Audit any applications that handle DPX images, especially those exposed to untrusted input.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-43909: OpenImageIO Out-of-Bounds Read/Write via DPX Processing
title: CVE-2026-43909: OpenImageIO Out-of-Bounds Read/Write via DPX Processing
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
Detects the execution of OpenImageIO tools when processing DPX files, which is a precursor to the CVE-2026-43909 vulnerability. This rule targets the initial exploitation attempt by identifying the specific file format (DPX) being processed by the vulnerable library.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43909/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|contains:
- 'openimageio'
CommandLine|contains:
- 'DPX'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43909 | Buffer Overflow | OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 |
| CVE-2026-43909 | Memory Corruption | Signed 32-bit integer overflow in SwapRGBABytes() function |
| CVE-2026-43909 | Out-of-bounds Read/Write | Processing kABGR DPX images with large dimensions in OpenImageIO |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 23:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver
CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...
CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass
CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....
ZITADEL LDAP Filter Injection Exposes Usernames, Attributes
CVE-2026-44671 — ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity...