Skip to main content

OpenEXR EUVDEUVD-2026-37944

| CVE-2026-44663 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-18 GitHub_M
7.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
vuln.today AI
7.1 HIGH

File-parsing bug: local vector (AV:L) requiring the victim to process a crafted EXR (UI:R), no privileges (PR:N); heap write yields high integrity/availability impact, no data disclosure (C:N).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Red Hat
6.1 MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 26, 2026 - 02:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 02:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 02:22 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 02:22 NVD
MEDIUM HIGH
CVSS changed
Jun 26, 2026 - 02:22 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Patch available
Jun 18, 2026 - 22:16 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 20:48 vuln.today
Analysis Generated
Jun 18, 2026 - 20:48 vuln.today

DescriptionNVD

OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, an integer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp leads to a heap-buffer overflow when decoding a crafted HTJ2K-compressed EXR file. decode->channels[i].width (int32_t) is multiplied by bytes_per_element in 32-bit signed arithmetic. With large widths (e.g., >= 536870912 for FLOAT data), this overflows, producing a corrupted offset that is later used for pointer arithmetic and can cause a heap out-of-bounds write. The same unchecked multiplication pattern appears in two other HTJ2K paths (bytes-per-line accumulation and pixel-line pointer advancement). As with related CVE-2026-34378 through CVE-2026-34589 fixes in other codecs, validating only after the multiplication is too late because the value may already be overflowed. This issue has been fixed in version 3.4.12.

AnalysisAI

Heap out-of-bounds write in OpenEXR 3.4.0 through 3.4.11 lets an attacker who supplies a crafted HTJ2K-compressed EXR file trigger memory corruption during decoding, via an integer overflow in the HTJ2K decoder ht_undo_impl(). Any application that decodes untrusted EXR images using the affected OpenEXRCore library is at risk, with potential for memory corruption and possible code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft EXR with oversized HTJ2K channel width
Delivery
Deliver file to EXR-decoding target
Exploit
Victim decodes via OpenEXRCore ht_undo_impl
Execution
32-bit width multiplication overflows
Persist
Corrupted offset drives heap out-of-bounds write
Impact
Memory corruption, crash or potential code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to decode an attacker-supplied EXR file that uses HTJ2K compression and declares an oversized channel width (for FLOAT data, width >= 536870912) sufficient to overflow the 32-bit width*bytes_per_element multiplication in ht_undo_impl(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real but not urgent issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious EXR file with an HTJ2K-compressed channel declaring a very large width (e.g., >= 536870912 for FLOAT data) and submits it to a target that decodes EXR images - for example uploading it to a VFX asset pipeline, render service, or image converter using OpenEXR. When the victim application decodes the file, the 32-bit multiplication overflows and the corrupted offset drives a heap out-of-bounds write. …
Remediation Vendor-released patch: OpenEXR 3.4.12, which fixes the integer overflow in ht_undo_impl() (and the related CVE-2026-45696 OOB read in the same function); upgrade to 3.4.12 or later from https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.12 and review the advisory at https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-777r-f9x8-7r84. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit inventory for all services and applications using OpenEXR 3.4.0-3.4.11 (OpenEXRCore library). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2018-18444 HIGH POC
8.8 Oct 17

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possib

CVE-2026-27622 HIGH POC
8.4 Mar 03

Out-of-bounds heap write in OpenEXR's CompositeDeepScanLine::readPixels lets a crafted multi-part deep-scanline EXR file

CVE-2017-12596 HIGH POC
7.8 Aug 07

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp du

CVE-2026-26981 MEDIUM POC
6.5 Feb 24

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper in

CVE-2021-3598 MEDIUM POC
5.5 Jul 06

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. Rated medium severity (CV

CVE-2020-16589 MEDIUM POC
5.5 Dec 09

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.

CVE-2020-16588 MEDIUM POC
5.5 Dec 09

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp

CVE-2020-16587 MEDIUM POC
5.5 Dec 09

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruct

CVE-2020-11765 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11764 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11763 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11762 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Not-Affected
SUSE Linux Enterprise Server 15 SP7 Not-Affected

Share

EUVD-2026-37944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy