Home / mailings [USN-8438-1] OpenImageIO vulnerabilities
Posted on 17 June 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8438-1
June 16, 2026
openimageio vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenImageIO.
Software Description:
- openimageio: Library for reading and writing images
Details:
It was discovered that OpenImageIO incorrectly performed bounds
checking when processing SGI files. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary
code. (CVE-2026-43903)
It was discovered that OpenImageIO incorrectly handled run-length
encoding when processing Softimage PIC files. An attacker
could possibly use this issue to cause a denial of service or
execute arbitrary code. (CVE-2026-43904)
It was discovered that OpenImageIO incorrectly validated subimage
metadata when processing HEIF files. An attacker could
possibly use this issue to cause a denial of service or execute
arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu
24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-43906)
It was discovered that OpenImageIO contained multiple integer
overflow vulnerabilities when processing DPX files. An
attacker could possibly use these issues to cause a denial of
service or execute arbitrary code. (CVE-2026-43907, CVE-2026-43908,
CVE-2026-43909)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libopenimageio-dev 2.5.19.1+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro
libopenimageio2.5 2.5.19.1+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro
openimageio-tools 2.5.19.1+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro
python3-openimageio 2.5.19.1+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 24.04 LTS
libopenimageio-dev 2.4.17.0+dfsg-1.1ubuntu0.1~esm1
Available with Ubuntu Pro
libopenimageio2.4t64 2.4.17.0+dfsg-1.1ubuntu0.1~esm1
Available with Ubuntu Pro
openimageio-tools 2.4.17.0+dfsg-1.1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-openimageio 2.4.17.0+dfsg-1.1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libopenimageio-dev 2.1.12.0~dfsg0-1ubuntu0.1~esm1
Available with Ubuntu Pro
libopenimageio2.1 2.1.12.0~dfsg0-1ubuntu0.1~esm1
Available with Ubuntu Pro
openimageio-tools 2.1.12.0~dfsg0-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-openimageio 2.1.12.0~dfsg0-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libopenimageio-dev 1.7.17~dfsg0-1ubuntu2+esm1
Available with Ubuntu Pro
libopenimageio1.7 1.7.17~dfsg0-1ubuntu2+esm1
Available with Ubuntu Pro
openimageio-tools 1.7.17~dfsg0-1ubuntu2+esm1
Available with Ubuntu Pro
python-openimageio 1.7.17~dfsg0-1ubuntu2+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libopenimageio-dev 1.6.11~dfsg0-1ubuntu1+esm2
Available with Ubuntu Pro
libopenimageio1.6 1.6.11~dfsg0-1ubuntu1+esm2
Available with Ubuntu Pro
openimageio-tools 1.6.11~dfsg0-1ubuntu1+esm2
Available with Ubuntu Pro
python-openimageio 1.6.11~dfsg0-1ubuntu1+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8438-1
CVE-2026-43903, CVE-2026-43904, CVE-2026-43906, CVE-2026-43907,
CVE-2026-43908, CVE-2026-43909
--===============6885803029445980845==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
