First published: Thu Dec 22 2022(Updated: )
A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.
Credit: talos-cna@cisco.com talos-cna@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Openimageio Openimageio | =2.3.19.0 | |
Debian Debian Linux | =11.0 | |
debian/openimageio | <=2.0.5~dfsg0-1 | 2.0.5~dfsg0-1+deb10u2 2.2.10.1+dfsg-1+deb11u1 2.4.7.1+dfsg-2 2.4.14.0+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-36354 is medium with a severity value of 5.3.
The heap out-of-bounds read vulnerability in CVE-2022-36354 occurs in the RLA format parser of OpenImageIO, specifically in the way run-length encoded byte spans are handled.
OpenImageIO versions master-branch-9aeece7a and v2.3.19.0 are affected by CVE-2022-36354.
A malformed RLA file can lead to the exploitation of CVE-2022-36354 by triggering an out-of-bounds read of heap metadata.
Yes, there are updated versions of OpenImageIO and Debian Linux available that address the vulnerability.