Skip to main content

Red Hat CVE-2026-40250

| EUVDEUVD-2026-24047 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-04-21 GitHub_M
8.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Red Hat
6.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

8
Patch released
Apr 22, 2026 - 18:41 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 04:28 vuln.today
Patch available
Apr 21, 2026 - 03:01 EUVD
CVSS changed
Apr 21, 2026 - 02:22 NVD
8.4 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 02:00 euvd
EUVD-2026-24047
Analysis Generated
Apr 21, 2026 - 02:00 vuln.today
CVE Published
Apr 21, 2026 - 01:33 nvd
HIGH 8.4

DescriptionGitHub Advisory

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internal_dwa_compressor.h:1040 performs chan->width * chan->bytes_per_element in int32 arithmetic without a (size_t) cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses internal_dwa_compressor.h:1040.

AnalysisAI

Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) enables local attackers to trigger memory corruption when processing maliciously crafted EXR image files requiring user interaction. This vulnerability represents a missed instance of the same integer overflow pattern addressed in related CVEs 2026-34589, 34588, and 34544, occurring in internal_dwa_compressor.h:1040 where width multiplication lacks proper size_t casting. Given the local attack vector requiring user interaction (CVSS AV:L/UI:A), real-world exploitation requires social engineering to trick users into opening weaponized EXR files, making this primarily a workstation-targeted threat in media production environments. No active exploitation or public POC identified at time of analysis.

Technical ContextAI

OpenEXR is the Academy Software Foundation's reference implementation of the EXR file format, widely used in visual effects and motion picture post-production workflows. The vulnerability stems from CWE-190 (Integer Overflow) in the DWA (Digital Wavelets Alpha) compression codec implementation. Specifically, line 1040 of internal_dwa_compressor.h performs multiplication of chan->width * chan->bytes_per_element using 32-bit integer arithmetic without proper size_t casting to prevent overflow. When processing specially crafted EXR files with extreme dimension values, this integer overflow can result in undersized buffer allocations, leading to subsequent heap-based buffer overflows during decompression operations. This is part of a broader class of integer overflow issues in OpenEXR's various compression codecs, with similar patterns previously addressed in CVE-2026-34589 (PIZ compressor), CVE-2026-34588 (ZIP compressor), and CVE-2026-34544 (another codec component). The DWA compressor is specifically designed for lossy compression of half-precision floating-point images, making it common in high-dynamic-range imaging workflows.

RemediationAI

Upgrade to patched versions: OpenEXR 3.4.10 (https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10), 3.3.10 (https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10), or 3.2.8 (https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8) depending on your current version branch. These releases contain the specific fix addressing the integer overflow at internal_dwa_compressor.h:1040. If immediate patching is not feasible, implement compensating controls: restrict OpenEXR processing to trusted file sources only, deploy application sandboxing (AppArmor/SELinux profiles limiting file system and network access), and disable DWA compression support if not operationally required (note: this may break compatibility with assets using DWA-compressed layers). For high-security environments, consider pre-scanning EXR files with updated validators before opening in production applications. Temporary mitigation of disabling DWA support will prevent processing of DWA-compressed EXR files entirely, which may be unacceptable in production pipelines requiring this codec.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected

Share

CVE-2026-40250 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy