Fluid Attacks Database

Description

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a heap-based buffer overflow in the HEIF decoder of OpenImageIO allows out-of-bounds writes via crafted images due to a subimage metadata mismatch, leading to memory corruption and potential code execution. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 12	openimageio	=2.4.12.0+dfsg-1 \|\| =2.4.13.0+dfsg-1 \|\| =2.4.14.0+dfsg-1 \|\| =2.4.16.0+dfsg-1 \|\| =2.4.17.0+dfsg-1 \|\| =2.4.17.0+dfsg-1.1 \|\| =2.4.7.1+dfsg-2 \|\| =2.4.9.0+dfsg-1 \|\| =2.5.10.1+dfsg-1 \|\| =2.5.12.0+dfsg-1 \|\| =2.5.12.0+dfsg-2 \|\| =2.5.14.0+dfsg-1 \|\| =2.5.15.0+dfsg-1 \|\| =2.5.16.0+dfsg-1 \|\| =2.5.18.0+dfsg-1 \|\| =2.5.19.1+dfsg-1 \|\| =2.5.19.1+dfsg-2 \|\| =2.5.7.0+dfsg-1
debian 13	openimageio	=2.5.18.0+dfsg-1 \|\| =2.5.19.1+dfsg-1 \|\| =2.5.19.1+dfsg-2
debian 14	openimageio	=2.5.18.0+dfsg-1 \|\| =2.5.19.1+dfsg-1 \|\| =2.5.19.1+dfsg-2
debian 11	openimageio	=2.2.10.1+dfsg-1 \|\| =2.2.10.1+dfsg-1+deb11u1 \|\| =2.2.13.1+dfsg-1 \|\| =2.2.14.0+dfsg-1 \|\| =2.2.16.0+dfsg-1 \|\| =2.2.17.0+dfsg-1 \|\| =2.2.17.0+dfsg-2 \|\| =2.2.18.0+dfsg-1 \|\| =2.2.18.0+dfsg-2 \|\| =2.3.11.0+dfsg-1 \|\| =2.3.12.0+dfsg-1 \|\| =2.3.14.0+dfsg-1 \|\| =2.3.14.0+dfsg-2 \|\| =2.3.14.0+dfsg-3 \|\| =2.3.17.0+dfsg-1 \|\| =2.3.18.0+dfsg-1 \|\| =2.3.18.0+dfsg-2 \|\| =2.3.18.0+dfsg-3 \|\| =2.3.18.0+dfsg-4 \|\| =2.3.18.0+dfsg-5 \|\| =2.3.18.0+dfsg-6 \|\| =2.3.21.0+dfsg-1 \|\| =2.3.8.0+dfsg-1 \|\| =2.3.9.1+dfsg-1 \|\| =2.4.12.0+dfsg-1 \|\| =2.4.13.0+dfsg-1 \|\| =2.4.14.0+dfsg-1 \|\| =2.4.16.0+dfsg-1 \|\| =2.4.17.0+dfsg-1 \|\| =2.4.17.0+dfsg-1.1 \|\| =2.4.7.1+dfsg-1 \|\| =2.4.7.1+dfsg-2 \|\| =2.4.9.0+dfsg-1 \|\| =2.5.10.1+dfsg-1 \|\| =2.5.12.0+dfsg-1 \|\| =2.5.12.0+dfsg-2 \|\| =2.5.14.0+dfsg-1 \|\| =2.5.15.0+dfsg-1 \|\| =2.5.16.0+dfsg-1 \|\| =2.5.18.0+dfsg-1 \|\| =2.5.19.1+dfsg-1 \|\| =2.5.19.1+dfsg-2 \|\| =2.5.7.0+dfsg-1

Aliases

1. CVE-2026-439062. NVD-2026-439063. OSV-DEBIAN-2026-439064. OSV-2026-439065. SECURITY-TRACKER-CVE-2026-43906

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.