Skip to main content

OpenEXR CVE-2026-41142

| EUVDEUVD-2026-28251 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-07 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 07, 2026 - 06:16 EUVD
Source Code Evidence Fetched
May 07, 2026 - 04:47 vuln.today
Analysis Generated
May 07, 2026 - 04:47 vuln.today
CVE Published
May 07, 2026 - 03:58 nvd
HIGH 8.8

DescriptionCVE.org

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

AnalysisAI

Integer overflow in OpenEXR ImageChannel::resize function enables heap buffer overflow through crafted EXR files processed via the OpenEXRUtil public API. Affects OpenEXR versions 3.0.0-3.2.8, 3.3.0-3.3.10, and 3.4.0-3.4.10 from the Academy Software Foundation's motion picture image format library. Vendor-released patches in versions 3.2.9, 3.3.11, and 3.4.11 add overflow validation before pixel buffer allocation. CVSS 8.8 with network vector but requires user interaction (opening malicious file). No public exploit or active exploitation identified at time of analysis.

Technical ContextAI

OpenEXR is the Academy Software Foundation's reference implementation of the EXR file format used extensively in VFX and motion picture workflows for high dynamic range images. The vulnerability resides in ImageChannel::resize() within the OpenEXRUtil library component. When processing image dimensions, the function performs a direct multiplication of _pixelsPerRow and _pixelsPerColumn to calculate _numPixels without overflow checking. On architectures where size_t can overflow (typically 32-bit or when dimensions approach 2^32), an attacker-controlled width*height calculation wraps to a small value, causing undersized heap allocation. Subsequent image data writes then overflow this buffer. The patch (commit 0592ee539f33c122c90f09238579b902d838afb4) promotes operands to uint64_t, validates the product against size_t::max before the multiplication, and throws ArgExc if dimensions exceed safe limits. Additional validation rejects non-positive sampling rates to prevent undefined modulo/division behavior. This is a CWE-190 integer overflow leading to CWE-122 heap-based buffer overflow, a common pattern in image parsers handling untrusted dimension metadata.

RemediationAI

Upgrade OpenEXR to patched versions 3.2.9, 3.3.11, or 3.4.11 depending on your current major.minor branch. The fix is implemented in commit 0592ee539f33c122c90f09238579b902d838afb4 and merged via PR #2367 (https://github.com/AcademySoftwareFoundation/openexr/pull/2367). After library upgrade, verify that all dependent applications (Adobe products, Foundry Nuke, Blender, custom tools) are rebuilt or updated to link the patched library - dynamic library updates may not propagate to statically linked binaries without recompilation. For environments where immediate patching is infeasible, implement defense-in-depth: restrict EXR file sources to trusted origins only, process untrusted files in sandboxed environments (containers, VMs) with limited privileges, and deploy endpoint detection monitoring for heap corruption indicators. On server-side processing infrastructure, consider rejecting EXR files with extreme dimensions (width or height exceeding practical limits like 65535 pixels) at ingestion boundaries before passing to OpenEXR APIs. Note that input validation is a compensating control only - it does not eliminate the underlying vulnerability and may have false-positive rates impacting legitimate high-resolution workflows. Organizations using Linux distributions should monitor vendor security channels (Debian DSA, RHEL RHSA, Ubuntu USN) for packaged updates rather than building from source where possible.

CVE-2018-18444 HIGH POC
8.8 Oct 17

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possib

CVE-2026-27622 HIGH POC
8.4 Mar 03

Out-of-bounds heap write in OpenEXR's CompositeDeepScanLine::readPixels lets a crafted multi-part deep-scanline EXR file

CVE-2017-12596 HIGH POC
7.8 Aug 07

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp du

CVE-2026-26981 MEDIUM POC
6.5 Feb 24

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper in

CVE-2021-3598 MEDIUM POC
5.5 Jul 06

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. Rated medium severity (CV

CVE-2020-16589 MEDIUM POC
5.5 Dec 09

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.

CVE-2020-16588 MEDIUM POC
5.5 Dec 09

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp

CVE-2020-16587 MEDIUM POC
5.5 Dec 09

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruct

CVE-2020-11765 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11764 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11763 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11762 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-41142 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy