UBUNTU-CVE-2026-43907

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-43907
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43907.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-43907
Upstream
  • CVE-2026-43907
Published
2026-05-14T20:17:00Z
Modified
2026-05-20T22:03:05.587698987Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INTMIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via mdecodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

References

Affected packages

Ubuntu:16.04:LTS
openimageio

Package

Name
openimageio
Purl
pkg:deb/ubuntu/openimageio?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.5.17~dfsg0-1ubuntu2
1.5.20~dfsg0-1ubuntu2
1.5.23~dfsg0-1ubuntu1
1.6.9~dfsg0-4ubuntu1
1.6.10~dfsg0-1ubuntu1
1.6.10~dfsg0-2ubuntu1
1.6.11~dfsg0-1ubuntu1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libopenimageio1.6",
            "binary_version": "1.6.11~dfsg0-1ubuntu1"
        },
        {
            "binary_name": "openimageio-tools",
            "binary_version": "1.6.11~dfsg0-1ubuntu1"
        },
        {
            "binary_name": "python-openimageio",
            "binary_version": "1.6.11~dfsg0-1ubuntu1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43907.json"
Ubuntu:18.04:LTS
openimageio

Package

Name
openimageio
Purl
pkg:deb/ubuntu/openimageio?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.6.17~dfsg0-1ubuntu5
1.7.17~dfsg0-1ubuntu2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libopenimageio1.7",
            "binary_version": "1.7.17~dfsg0-1ubuntu2"
        },
        {
            "binary_name": "openimageio-tools",
            "binary_version": "1.7.17~dfsg0-1ubuntu2"
        },
        {
            "binary_name": "python-openimageio",
            "binary_version": "1.7.17~dfsg0-1ubuntu2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43907.json"
Ubuntu:20.04:LTS
openimageio

Package

Name
openimageio
Purl
pkg:deb/ubuntu/openimageio?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.10~dfsg0-1
2.0.11~dfsg0-1
2.0.12~dfsg0-1
2.0.12~dfsg0-1build1
2.0.12~dfsg0-1build2
2.1.10.1~dfsg0-5ubuntu4
2.1.10.1~dfsg0-5ubuntu5
2.1.12.0~dfsg0-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libopenimageio2.1",
            "binary_version": "2.1.12.0~dfsg0-1"
        },
        {
            "binary_name": "openimageio-tools",
            "binary_version": "2.1.12.0~dfsg0-1"
        },
        {
            "binary_name": "python3-openimageio",
            "binary_version": "2.1.12.0~dfsg0-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43907.json"
Ubuntu:22.04:LTS
openimageio

Package

Name
openimageio
Purl
pkg:deb/ubuntu/openimageio?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.2.10.1+dfsg-1build1
2.2.18.0+dfsg-1
2.2.18.0+dfsg-1build2
2.2.18.0+dfsg-1ubuntu2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libopenimageio2.2",
            "binary_version": "2.2.18.0+dfsg-1ubuntu2"
        },
        {
            "binary_name": "openimageio-tools",
            "binary_version": "2.2.18.0+dfsg-1ubuntu2"
        },
        {
            "binary_name": "python3-openimageio",
            "binary_version": "2.2.18.0+dfsg-1ubuntu2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43907.json"
Ubuntu:24.04:LTS
openimageio

Package

Name
openimageio
Purl
pkg:deb/ubuntu/openimageio?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.4.14.0+dfsg-1
2.4.16.0+dfsg-1
2.4.16.0+dfsg-1build1
2.4.17.0+dfsg-1
2.4.17.0+dfsg-1build1
2.4.17.0+dfsg-1.1build3
2.4.17.0+dfsg-1.1build4

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libopenimageio2.4t64",
            "binary_version": "2.4.17.0+dfsg-1.1build4"
        },
        {
            "binary_name": "openimageio-tools",
            "binary_version": "2.4.17.0+dfsg-1.1build4"
        },
        {
            "binary_name": "python3-openimageio",
            "binary_version": "2.4.17.0+dfsg-1.1build4"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43907.json"
Ubuntu:25.10
openimageio

Package

Name
openimageio
Purl
pkg:deb/ubuntu/openimageio?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.5.18.0+dfsg-1build1
2.5.18.0+dfsg-1build2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libopenimageio2.5",
            "binary_version": "2.5.18.0+dfsg-1build2"
        },
        {
            "binary_name": "openimageio-tools",
            "binary_version": "2.5.18.0+dfsg-1build2"
        },
        {
            "binary_name": "python3-openimageio",
            "binary_version": "2.5.18.0+dfsg-1build2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43907.json"
Ubuntu:26.04:LTS
openimageio

Package

Name
openimageio
Purl
pkg:deb/ubuntu/openimageio?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.5.18.0+dfsg-1build2
2.5.19.1+dfsg-1build1
2.5.19.1+dfsg-1build3
2.5.19.1+dfsg-1build5
2.5.19.1+dfsg-2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libopenimageio2.5",
            "binary_version": "2.5.19.1+dfsg-2"
        },
        {
            "binary_name": "openimageio-tools",
            "binary_version": "2.5.19.1+dfsg-2"
        },
        {
            "binary_name": "python3-openimageio",
            "binary_version": "2.5.19.1+dfsg-2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-43907.json"