CVE-2026-7582
Received Received - Intake
Out-of-Bounds Write in OpenImageIO DDS Image Handler

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: VulDB

Description
A vulnerability was detected in AcademySoftwareFoundation OpenImageIO up to 3.2.0.1-dev. This vulnerability affects unknown code of the file src/dds.imageio/ddsinput.cpp of the component DDS Image Handler. The manipulation results in out-of-bounds write. The attack needs to be approached locally. The exploit is now public and may be used. The patch is identified as 94ec2deec3e3bf2f2e2ff84d008e27425d626fe2. Applying a patch is advised to resolve this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7582
EUVD
EUVD-2026-26532
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
academysoftwarefoundation openimageio to 3.2.0.1-dev (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-7582 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-7582 is a vulnerability in the OpenImageIO library, specifically in the DDS Image Handler component. It involves an out-of-bounds write caused by improper handling of DDS image data in the file src/dds.imageio/ddsinput.cpp. This vulnerability can be exploited locally and may lead to memory corruption due to integer overflow and insufficient validation of image resolution values.

The issue arises from the use of incorrect data types for width, height, and depth parameters, which could cause integer overflows when processing large textures. The vulnerability was fixed by changing these parameters to use size_t types and adding validation checks for texture resolutions, including special handling for cube maps and volume textures.

Impact Analysis

This vulnerability can lead to out-of-bounds memory writes, which may cause application crashes, data corruption, or potentially allow an attacker to execute arbitrary code or escalate privileges locally.

Since the exploit requires local access, an attacker would need to have some level of access to the system to trigger the vulnerability by manipulating DDS image files processed by OpenImageIO.

The impact includes compromised integrity and availability of applications using the vulnerable OpenImageIO DDS plugin, especially in environments processing untrusted or malicious DDS image files.

Detection Guidance

This vulnerability affects the OpenImageIO library, specifically the DDS Image Handler component in versions up to 3.2.0.1-dev. Detection involves identifying if your system has a vulnerable version of OpenImageIO installed.

You can check the installed version of OpenImageIO by running commands like:

  • For Linux/macOS: `oiiotool --version` or `dpkg -l | grep openimageio`
  • For Windows (PowerShell): `Get-Command oiiotool` or checking installed programs for OpenImageIO version

Additionally, to detect exploitation attempts, monitor local system activity for unusual usage of OpenImageIO tools or processes that handle DDS files, since the attack requires local access.

Mitigation Strategies

The primary mitigation step is to apply the official patch identified by commit 94ec2deec3e3bf2f2e2ff84d008e27425d626fe2, which fixes the out-of-bounds write vulnerability in the DDS Image Handler of OpenImageIO.

If patching immediately is not possible, consider restricting local access to systems running vulnerable versions of OpenImageIO to prevent exploitation, as the attack requires local access.

Also, monitor and audit usage of OpenImageIO tools and processes that handle DDS files to detect any suspicious activity.

Finally, update OpenImageIO to a version that includes the fix merged on April 15, 2026, or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7582. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart