Fluid Attacks Database

Description

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the pixel-loop index expression i * 3 inside ConvertCbYCrYToRGB() causes the function to compute a large negative pointer offset into the output buffer, producing an out-of-bounds write that crashes the process. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 12	openimageio	=2.4.12.0+dfsg-1 \|\| =2.4.13.0+dfsg-1 \|\| =2.4.14.0+dfsg-1 \|\| =2.4.16.0+dfsg-1 \|\| =2.4.17.0+dfsg-1 \|\| =2.4.17.0+dfsg-1.1 \|\| =2.4.7.1+dfsg-2 \|\| =2.4.9.0+dfsg-1 \|\| =2.5.10.1+dfsg-1 \|\| =2.5.12.0+dfsg-1 \|\| =2.5.12.0+dfsg-2 \|\| =2.5.14.0+dfsg-1 \|\| =2.5.15.0+dfsg-1 \|\| =2.5.16.0+dfsg-1 \|\| =2.5.18.0+dfsg-1 \|\| =2.5.19.1+dfsg-1 \|\| =2.5.19.1+dfsg-2 \|\| =2.5.7.0+dfsg-1
debian 14	openimageio	=2.5.18.0+dfsg-1 \|\| =2.5.19.1+dfsg-1 \|\| =2.5.19.1+dfsg-2
debian 11	openimageio	=2.2.10.1+dfsg-1 \|\| =2.2.10.1+dfsg-1+deb11u1 \|\| =2.2.13.1+dfsg-1 \|\| =2.2.14.0+dfsg-1 \|\| =2.2.16.0+dfsg-1 \|\| =2.2.17.0+dfsg-1 \|\| =2.2.17.0+dfsg-2 \|\| =2.2.18.0+dfsg-1 \|\| =2.2.18.0+dfsg-2 \|\| =2.3.11.0+dfsg-1 \|\| =2.3.12.0+dfsg-1 \|\| =2.3.14.0+dfsg-1 \|\| =2.3.14.0+dfsg-2 \|\| =2.3.14.0+dfsg-3 \|\| =2.3.17.0+dfsg-1 \|\| =2.3.18.0+dfsg-1 \|\| =2.3.18.0+dfsg-2 \|\| =2.3.18.0+dfsg-3 \|\| =2.3.18.0+dfsg-4 \|\| =2.3.18.0+dfsg-5 \|\| =2.3.18.0+dfsg-6 \|\| =2.3.21.0+dfsg-1 \|\| =2.3.8.0+dfsg-1 \|\| =2.3.9.1+dfsg-1 \|\| =2.4.12.0+dfsg-1 \|\| =2.4.13.0+dfsg-1 \|\| =2.4.14.0+dfsg-1 \|\| =2.4.16.0+dfsg-1 \|\| =2.4.17.0+dfsg-1 \|\| =2.4.17.0+dfsg-1.1 \|\| =2.4.7.1+dfsg-1 \|\| =2.4.7.1+dfsg-2 \|\| =2.4.9.0+dfsg-1 \|\| =2.5.10.1+dfsg-1 \|\| =2.5.12.0+dfsg-1 \|\| =2.5.12.0+dfsg-2 \|\| =2.5.14.0+dfsg-1 \|\| =2.5.15.0+dfsg-1 \|\| =2.5.16.0+dfsg-1 \|\| =2.5.18.0+dfsg-1 \|\| =2.5.19.1+dfsg-1 \|\| =2.5.19.1+dfsg-2 \|\| =2.5.7.0+dfsg-1
debian 13	openimageio	=2.5.18.0+dfsg-1 \|\| =2.5.19.1+dfsg-1 \|\| =2.5.19.1+dfsg-2

Aliases

1. CVE-2026-439082. NVD-2026-439083. OSV-DEBIAN-2026-439084. OSV-2026-439085. SECURITY-TRACKER-CVE-2026-43908

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.