CVE-2022-43594

low-risk

Published 2022-12-22

Multiple denial of service vulnerabilities exist in the image output closing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Specially crafted ImageOutput Objects can lead to multiple null pointer dereferences. An attacker can provide malicious multiple inputs to trigger these vulnerabilities.This vulnerability applies to writing .bmp files.

Do I need to act?

0.16% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (2)

Openimageio

Debian Linux

Affected Vendors

Debian Openimageio

References (6)

Third Party Advisory https://security.gentoo.org/glsa/202305-33

Exploit https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653

Third Party Advisory https://www.debian.org/security/2023/dsa-5384

Third Party Advisory https://security.gentoo.org/glsa/202305-33

Exploit https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653

Third Party Advisory https://www.debian.org/security/2023/dsa-5384

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 7/34 · Low