First published: Thu Dec 22 2022(Updated: )
Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `ymax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT16`
Credit: talos-cna@cisco.com talos-cna@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Openimageio Openimageio | =2.4.4.2 | |
Debian Debian Linux | =11.0 | |
debian/openimageio | <=2.0.5~dfsg0-1 | 2.0.5~dfsg0-1+deb10u2 2.2.10.1+dfsg-1+deb11u1 2.4.7.1+dfsg-2 2.4.14.0+dfsg-1 |
=2.4.4.2 | ||
=11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-43601.
The severity of CVE-2022-43601 is high with a CVSS score of 8.1.
OpenImageIO Project OpenImageIO v2.4.4.2 and Debian Linux 11.0 are affected by CVE-2022-43601.
An attacker can exploit CVE-2022-43601 by providing malicious input to trigger heap buffer overflows in the IFFOutput::close() functionality of OpenImageIO.
Yes, you can find references for CVE-2022-43601 at the following links: [Gentoo Security Advisory](https://security.gentoo.org/glsa/202305-33), [Talos Intelligence Vulnerability Report](https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656), [Debian Security Advisory](https://www.debian.org/security/2023/dsa-5384).