CVE-2025-15506

low-risk

Published 2026-01-11

A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named ebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it is recommended to deploy a patch. The fix was added to the 2.5.1 milestone.

Do I need to act?

-

0.01% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

3

CVSS 3.3/10 Low

LOCAL / LOW complexity

References (9)

https://github.com/AcademySoftwareFoundation/OpenColorIO/

https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228

https://github.com/AcademySoftwareFoundation/OpenColorIO/milestone/11

https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231

https://github.com/cozdas/OpenColorIO/commit/ebdbb75123c9d5f4643e041314e2bc988a1...

https://github.com/oneafter/1225/blob/main/uaf

https://vuldb.com/?ctiid.340444

https://vuldb.com/?id.340444

https://vuldb.com/?submit.733332

18

/ 100

low-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal