CVE-2024-40630 — Out-of-bounds Read in Openimageio

CWE-125 — Out-of-bounds Read3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 50.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Academysoftwarefoundation Openimageio Openimageio Debian Openimageio

Timeline

PublishedJul 15

Description

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation via a format-agnostic API with a feature set, scalability, and robustness needed for feature film production. In affected versions there is a bug in the heif input functionality of OpenImageIO. Specifically, in `HeifInput::seek_subimage()`. In the worst case, this can lead to an information disclosure vulnerability, particularly for programs that directly use the `Imag…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/openimageio< openimageio 2.5.14.0+dfsg-1 (forky)

▶CVEListV5academysoftwarefoundation/openimageio< 2.5.13.1

▶Debianopenimageio/openimageio< 2.5.14.0+dfsg-1+1

🔴Vulnerability Details

OSV

CVE-2024-40630: OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation via a format-agnostic↗2024-07-15

▶

📋Vendor Advisories

Debian

CVE-2024-40630: openimageio - OpenImageIO is a toolset for reading, writing, and manipulating image files of a...↗2024

▶