Skip to main content

Openexr CVE-2026-40244

| EUVDEUVD-2026-24046 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-04-21 GitHub_M
8.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

8
Patch released
Apr 22, 2026 - 18:41 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 04:28 vuln.today
Patch available
Apr 21, 2026 - 03:01 EUVD
CVSS changed
Apr 21, 2026 - 02:22 NVD
8.4 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 02:00 euvd
EUVD-2026-24046
Analysis Generated
Apr 21, 2026 - 02:00 vuln.today
CVE Published
Apr 21, 2026 - 01:30 nvd
HIGH 8.4

DescriptionCVE.org

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internal_dwa_compressor.h:1722 performs curc->width * curc->height in int32 arithmetic without a (size_t) cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses internal_dwa_compressor.h:1722.

AnalysisAI

Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) allows local attackers to trigger memory corruption via maliciously crafted EXR image files requiring user interaction. This overflow at internal_dwa_compressor.h:1722 was missed in the CVE-2026-34589 remediation batch, performing width*height multiplication in 32-bit arithmetic without proper bounds checking. While CVSS scores 8.4 (High), the local attack vector and required user interaction (opening malicious file) somewhat limit real-world exploitation compared to remotely exploitable vulnerabilities. No EPSS score or KEV status available; exploitation probability depends on attacker's ability to deliver weaponized EXR files to targets in media production environments.

Technical ContextAI

OpenEXR is the Academy Software Foundation's reference implementation of the EXR file format, widely used in visual effects and motion picture post-production for high dynamic range imagery. The vulnerability affects the DWA (Dreamworks Animation) lossy compression codec implementation. At line 1722 of internal_dwa_compressor.h, the code multiplies image channel width by height using int32_t arithmetic without casting to size_t before memory allocation. This CWE-190 integer overflow pattern allows specially crafted EXR files with malicious dimension values to wrap around the 32-bit signed integer boundary (2,147,483,647), resulting in undersized buffer allocation. Subsequent operations writing image data to this undersized buffer cause heap-based buffer overflows (CWE-120), potentially corrupting memory and enabling arbitrary code execution. This identical overflow pattern was addressed in other OpenEXR code locations via CVE-2026-34589, but this specific instance in the DWA compressor path was inadvertently omitted from that fix.

RemediationAI

Upgrade to OpenEXR version 3.2.8, 3.3.10, or 3.4.10 depending on your current release branch. Patched releases are available from the official GitHub repository: v3.2.8 at https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8, v3.3.10 at https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10, and v3.4.10 at https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10. The fix adds proper size_t casting to prevent integer overflow during buffer size calculations in the DWA compressor. If immediate patching is not feasible, implement compensating controls: restrict EXR file processing to trusted sources only through allowlist-based input validation; deploy sandboxing for applications that process EXR files (containerization, AppArmor, or SELinux policies limiting file system and memory access); disable DWA compression codec support if the application permits codec selection and DWA is not required for workflows. Note that input validation based on image dimensions may be bypassed by attackers using edge-case values near the int32 boundary, so sandboxing provides more robust defense-in-depth. Organizations using OpenEXR as a transitive dependency should audit their dependency trees and coordinate updates with application vendors.

CVE-2018-18444 HIGH POC
8.8 Oct 17

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possib

CVE-2026-27622 HIGH POC
8.4 Mar 03

Out-of-bounds heap write in OpenEXR's CompositeDeepScanLine::readPixels lets a crafted multi-part deep-scanline EXR file

CVE-2017-12596 HIGH POC
7.8 Aug 07

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp du

CVE-2026-26981 MEDIUM POC
6.5 Feb 24

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper in

CVE-2021-3598 MEDIUM POC
5.5 Jul 06

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. Rated medium severity (CV

CVE-2020-16589 MEDIUM POC
5.5 Dec 09

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.

CVE-2020-16588 MEDIUM POC
5.5 Dec 09

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp

CVE-2020-16587 MEDIUM POC
5.5 Dec 09

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruct

CVE-2020-11765 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11764 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11763 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11762 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected

Share

CVE-2026-40244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy