CVE-2026-43904 HIGH

CVE-2026-43904: OpenImageIO: Softimage PIC RLE decoder heap buffer overflow — longCount not clamped to image width

Vendor Academysoftwarefoundation
Product OpenImageIO
Weakness CWE-787
Published May 14, 2026
Last update May 16, 2026

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, softimageinput.cpp:469 (mixed RLE) and :345 (pure RLE) do not clamp the run length to remaining scanline width before writing pixels. The raw packet path (line 403) correctly clamps with std::min, but RLE paths skip this check. A crafted .pic file causes heap overflow up to 65535 bytes. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

Key dates

02Disclosure timeline

May 14, 2026 CVE published
May 16, 2026 Record updated