Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
Published: 2026-03-03
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary memory write potentially leading to code execution
Action: Immediate Patch
AI Analysis

Impact

OpenEXR’s CompositeDeepScanLine::readPixels uses attacker‑controlled counts to accumulate per‑pixel totals, which wrap modulo 2^32. The wrapped totals are later used to resize sample buffers. When the actual sample counts exceed the resized buffer size, a heap out‑of‑bounds write occurs. This memory corruption can allow an attacker to overwrite arbitrary heap data and potentially execute arbitrary code.

Affected Systems

The vulnerability affects the AcademySoftwareFoundation OpenEXR implementation. Versions prior to v3.2.6, v3.3.8, and v3.4.6 are vulnerable. The fix is included in those releases and in all subsequent OpenEXR releases.

Risk and Exploitability

The CVSS score of 8.4 classifies the flaw as high severity. The EPSS score of < 1% indicates that, as of this analysis, exploitation is unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires crafting a malicious EXR file that triggers the over‑run during the CompositeDeepScanLine pixel read process. It thus likely depends on an attacker’s ability to provide a file to a vulnerable application that processes OpenEXR images; it is not a publicly accessible remote code execution vector but could be used in local or privilege‑escalation scenarios if the application runs with elevated rights.

Generated by OpenCVE AI on April 16, 2026 at 05:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch for OpenEXR v3.2.6, v3.3.8, or v3.4.6 (or any later release).
  • Upgrade to the newest supported OpenEXR release to ensure the integer‑overflow and heap‑OOB write issues are resolved.
  • If immediate upgrade is not feasible, restrict or disable processing of untrusted EXR files in the affected systems and monitor for anomalous file handling activity.

Generated by OpenCVE AI on April 16, 2026 at 05:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cr4v-6jm6-4963 OpenEXR's CompositeDeepScanLine integer-overflow leads to heap OOB write
History

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Tue, 03 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
Title OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T03:56:39.168Z

Reserved: 2026-02-20T22:02:30.027Z

Link: CVE-2026-27622

cve-icon Vulnrichment

Updated: 2026-03-04T16:08:09.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:55.737

Modified: 2026-03-05T21:07:05.753

Link: CVE-2026-27622

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-03T22:42:49Z

Links: CVE-2026-27622 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:45:26Z

Weaknesses