Skip to main content

Red Hat CVE-2026-39886

| EUVDEUVD-2026-24041 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-04-21 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 18:41 nvd
Patch available
Patch available
Apr 21, 2026 - 03:01 EUVD
Analysis Generated
Apr 21, 2026 - 02:10 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 02:00 euvd
EUVD-2026-24041
Analysis Generated
Apr 21, 2026 - 02:00 vuln.today
CVE Published
Apr 21, 2026 - 01:27 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Versions 3.4.0 through 3.4.9 have a signed integer overflow vulnerability in OpenEXR's HTJ2K (High-Throughput JPEG 2000) decompression path. The ht_undo_impl() function in src/lib/OpenEXRCore/internal_ht.cpp accumulates a bytes-per-line value (bpl) using a 32-bit signed integer with no overflow guard. A crafted EXR file with 16,385 FLOAT channels at the HTJ2K maximum width of 32,767 causes bpl to overflow INT_MAX, producing undefined behavior confirmed by UBSan. On an allocator-permissive host where the required ~64 GB allocation succeeds, the wrapped negative bpl value would subsequently be used as a per-scanline pointer advance, which would produce a heap out-of-bounds write. On a memory-constrained host, the allocation fails before ht_undo_impl() is entered. This is the second distinct integer overflow in ht_undo_impl(). CVE-2026-34545 addressed a different overflow in the same function - the int16_t p pixel-loop counter at line ~302 that overflows when iterating over channels whose width exceeds 32,767. The CVE-2026-34545 fix did not touch the int bpl accumulator at line 211, which is the subject of this advisory. The bpl accumulator was also not addressed by any of the 8 advisories in the 2026-04-05 v3.4.9 release batch. This finding is structurally identical to CVE-2026-34588 (PIZ wcount*nx overflow in internal_piz.c) and should be remediated with the same pattern. The CVE-2026-34588 fix did not touch internal_ht.cpp. Version 3.4.10 contains a remediation that addresses the vulnerability in internal_ht.cpp.

AnalysisAI

Signed integer overflow in OpenEXR 3.4.0-3.4.9 HTJ2K decompression allows remote attackers to cause denial of service via crafted EXR files with excessive FLOAT channels. The ht_undo_impl() function accumulates a bytes-per-line value in a 32-bit signed integer without overflow protection; on memory-permissive systems, the wrapped negative value enables heap out-of-bounds writes. OpenEXR 3.4.10 contains the fix. This is a distinct overflow from CVE-2026-34545 in the same function and mirrors the pattern of CVE-2026-34588.

Technical ContextAI

OpenEXR is a high-dynamic-range (HDR) image format widely used in visual effects and animation. HTJ2K (High-Throughput JPEG 2000) is a compression codec integrated into OpenEXR's decompression pipeline. The vulnerability resides in the ht_undo_impl() function in src/lib/OpenEXRCore/internal_ht.cpp at line 211, where a 32-bit signed integer bpl (bytes-per-line) accumulates channel-width values without bounds checking. A crafted EXR file specifying 16,385 FLOAT channels at the HTJ2K maximum width (32,767 pixels) causes bpl to overflow INT_MAX (2,147,483,647), wrapping to a negative value. This undefined behavior (confirmed by UBSan) manifests as heap corruption when the negative bpl is later used as a per-scanline pointer advance in line ~302. The root cause is CWE-190 (Integer Overflow or Wraparound). This is structurally identical to CVE-2026-34588 in the PIZ decompression path (internal_piz.c), suggesting a systemic pattern in OpenEXR's decompression handlers.

RemediationAI

Upgrade OpenEXR to version 3.4.10 or later. The patched version corrects the signed integer overflow in the bpl accumulator at line 211 of internal_ht.cpp, implementing overflow guards consistent with the CVE-2026-34588 remediation in the PIZ decompression handler. For organizations unable to upgrade immediately, implement input validation at the application level to reject EXR files specifying more than a reasonable threshold of channels (e.g., reject files with >1024 channels or validate that channel count × maximum width does not exceed safe allocation limits). Disable HTJ2K decompression if the application's workflow does not require it (though this is not typical for production VFX pipelines). Monitor heap allocation during EXR parsing; alert or terminate processing if allocation requests exceed predefined thresholds (e.g., >10 GB). These compensating controls add latency and may reject valid files, so they are temporary mitigations only. Release notes and patch details are available at https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-39886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy