Skip to main content

Openexr CVE-2026-27622

HIGH
Out-of-bounds Write (CWE-787)
2026-03-03 security-advisories@github.com GHSA-cr4v-6jm6-4963
Buffer Overflow Openexr Red Hat Suse
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.4 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
PoC Detected
Mar 05, 2026 - 21:07 vuln.today
Public exploit code
CVE Published
Mar 03, 2026 - 23:15 nvd
HIGH 7.8

DescriptionGitHub Advisory

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.

AnalysisAI

Buffer overflow in OpenEXR's CompositeDeepScanLine::readPixels function allows local attackers to achieve code execution by crafting malicious EXR files that trigger integer wraparound in sample count calculations, resulting in undersized memory allocation followed by heap buffer overrun during decompression. Public exploit code exists for this vulnerability, and patches are available in versions 3.2.6, 3.3.8, and 3.4.6. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Open malicious EXR file locally
Delivery
Trigger CompositeDeepScanLine::readPixels parsing
Exploit
Integer wrap in total_sizes vector modulo 2^32
Execution
Undersized samples buffer allocation
Persist
Heap buffer overflow in generic_unpack_deep_pointers
Impact
Execute arbitrary code
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Local user interaction required to open crafted EXR file with attacker-controlled large pixel count values in deep scanline data that cause integer wrapping in per-pixel total accumulation, affecting OpenEXR reference implementation during deep image decoding. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker could exploit this vulnerability to compromise the affected system.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems and applications using OpenEXR; restrict access to EXR processing functions to trusted users/networks only; disable EXR import/processing features if not business-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-27622 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy