Cyber Resilience

CVE-2026-43908

HighPublic PoC

Published: 14 May 2026

Published
14 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0037 29.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-43908 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Openimageio Openimageio. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the pixel-loop index expression i * 3 inside…

more

ConvertCbYCrYToRGB() causes the function to compute a large negative pointer offset into the output buffer, producing an out-of-bounds write that crashes the process. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer overflow triggers out-of-bounds write that crashes the process, directly enabling application exploitation for endpoint DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55193Same product: Openimageio Openimageio
CVE-2026-43907Same product: Openimageio Openimageio
CVE-2026-43909Same product: Openimageio Openimageio
CVE-2024-55192Same product: Openimageio Openimageio
CVE-2024-55194Same product: Openimageio Openimageio
CVE-2026-32875Shared CWE-190, CWE-787
CVE-2026-29775Shared CWE-787
CVE-2025-27598Shared CWE-787
CVE-2026-33721Shared CWE-787
CVE-2024-7695Shared CWE-787

Affected Assets

openimageio
openimageio
3.2.0.0, 3.2.0.2 · ≤ 3.0.18.0 · 3.1.4.0 — 3.1.13.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References