CVE-2026-7582
Out-of-Bounds Write in OpenImageIO DDS Image Handler
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| academysoftwarefoundation | openimageio | to 3.2.0.1-dev (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-7582 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-7582 is a vulnerability in the OpenImageIO library, specifically in the DDS Image Handler component. It involves an out-of-bounds write caused by improper handling of DDS image data in the file src/dds.imageio/ddsinput.cpp. This vulnerability can be exploited locally and may lead to memory corruption due to integer overflow and insufficient validation of image resolution values.
The issue arises from the use of incorrect data types for width, height, and depth parameters, which could cause integer overflows when processing large textures. The vulnerability was fixed by changing these parameters to use size_t types and adding validation checks for texture resolutions, including special handling for cube maps and volume textures.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory writes, which may cause application crashes, data corruption, or potentially allow an attacker to execute arbitrary code or escalate privileges locally.
Since the exploit requires local access, an attacker would need to have some level of access to the system to trigger the vulnerability by manipulating DDS image files processed by OpenImageIO.
The impact includes compromised integrity and availability of applications using the vulnerable OpenImageIO DDS plugin, especially in environments processing untrusted or malicious DDS image files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the OpenImageIO library, specifically the DDS Image Handler component in versions up to 3.2.0.1-dev. Detection involves identifying if your system has a vulnerable version of OpenImageIO installed.
You can check the installed version of OpenImageIO by running commands like:
- For Linux/macOS: `oiiotool --version` or `dpkg -l | grep openimageio`
- For Windows (PowerShell): `Get-Command oiiotool` or checking installed programs for OpenImageIO version
Additionally, to detect exploitation attempts, monitor local system activity for unusual usage of OpenImageIO tools or processes that handle DDS files, since the attack requires local access.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch identified by commit 94ec2deec3e3bf2f2e2ff84d008e27425d626fe2, which fixes the out-of-bounds write vulnerability in the DDS Image Handler of OpenImageIO.
If patching immediately is not possible, consider restricting local access to systems running vulnerable versions of OpenImageIO to prevent exploitation, as the attack requires local access.
Also, monitor and audit usage of OpenImageIO tools and processes that handle DDS files to detect any suspicious activity.
Finally, update OpenImageIO to a version that includes the fix merged on April 15, 2026, or later.