CVE-2026-42450
Deferred Deferred - Pending Action

Heap-based Buffer Overflow in OpenColorIO LUT Parser

Vulnerability report for CVE-2026-42450, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when parsing LUT data lines. Input comes from `lineBuffer[4096]`, so a crafted .spi3d file can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
opencolorio opencolorio to 2.5.2 (exc)
academysoftwarefoundation opencolorio to 2.5.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a stack buffer overflow, which may allow an attacker to execute arbitrary code on the affected system.

Such arbitrary code execution can compromise the confidentiality, integrity, and availability of the system running OpenColorIO.

Because the overflow occurs when parsing maliciously crafted LUT files, an attacker could exploit this by providing specially designed .spi3d files.

Executive Summary

CVE-2026-42450 is a stack buffer overflow vulnerability in the OpenColorIO library, specifically in the Spi3D (.spi3d) LUT parser.

The issue occurs in the FileFormatSpi3D.cpp file at line 163, where the code uses an unbounded sscanf with the %s format specifier to read string values into 64-byte stack buffers.

Since the input comes from a 4096-byte buffer, a maliciously crafted .spi3d file can overflow the stack buffer by approximately 4000 bytes on non-Windows systems.

This overflow can lead to arbitrary code execution.

The vulnerability affects OpenColorIO versions 2.5.1 and earlier and was fixed in version 2.5.2 by limiting the sscanf input to 63 bytes.

Detection Guidance

This vulnerability is triggered by parsing maliciously crafted .spi3d files that cause a stack buffer overflow in OpenColorIO versions prior to 2.5.2.

Detection can involve monitoring for the presence or use of vulnerable OpenColorIO versions (<= 2.5.1) and scanning for suspicious or unusually large .spi3d files that might exploit the sscanf buffer overflow.

Since the vulnerability occurs during parsing of LUT data lines in .spi3d files, commands to detect vulnerable versions or suspicious files might include:

  • Check OpenColorIO version installed: `opencolorio --version` or check package manager versions.
  • Search for .spi3d files in your system or project directories: `find /path/to/search -name '*.spi3d'`
  • Inspect .spi3d files for unusually long lines or suspicious content that could trigger buffer overflow, e.g., `grep -E '.{64,}' suspicious.spi3d` to find lines longer than 63 characters.
  • Monitor application logs or crashes related to OpenColorIO when loading LUT files, which might indicate exploitation attempts.
Mitigation Strategies

The primary mitigation step is to upgrade OpenColorIO to version 2.5.2 or later, where the vulnerability is fixed by limiting sscanf input size.

Until the upgrade can be applied, avoid loading or processing untrusted or unauthenticated .spi3d files, as these can trigger the buffer overflow.

Implement input validation or filtering on LUT files to ensure they do not contain excessively long lines that could overflow buffers.

Monitor for unusual application behavior or crashes related to LUT file parsing, which might indicate exploitation attempts.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-42450 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42450. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart