Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`.
Published: 2026-04-21
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Integer overflow leading to potential memory corruption and arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

OpenEXR performs curc->width*curc->height in internal_dwa_compressor.h:1722 using 32‑bit signed arithmetic without a cast, causing an integer overflow that miscalculates the buffer size for DWA compression. This overflow can result in writes beyond the allocated buffer, enabling an attacker who can supply a crafted EXR file to corrupt memory or potentially execute arbitrary code. The weakness is labeled CWE‑190.

Affected Systems

The Academy Software Foundation’s OpenEXR library versions 3.2.0 to 3.2.7, 3.3.0 to 3.3.9, and 3.4.0 to 3.4.9 are vulnerable. The fix is included in releases 3.2.8, 3.3.10, and 3.4.10.

Risk and Exploitability

With a CVSS score of 8.4 the vulnerability is high severity. The EPSS score is not available, so exact exploit probability cannot be assessed, and the vulnerability is not listed in CISA KEV, indicating no known public exploitation. The vulnerable code is invoked when parsing EXR files, so the likely attack vector involves a malicious image supplied to the application. If the application runs with elevated privileges, the potential impact extends to full system compromise.

Generated by OpenCVE AI on April 21, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenEXR to version 3.4.10, 3.3.10, or 3.2.8 (or later) to apply the fix
  • Configure applications to reject or sandbox processing of untrusted EXR files until the library is updated
  • If immediate upgrade is impossible, disable DWA compression or manually patch the internal_dwa_compressor.h source to reject sizes that would overflow

Generated by OpenCVE AI on April 21, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`.
Title OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T03:55:56.354Z

Reserved: 2026-04-10T17:31:45.786Z

Link: CVE-2026-40244

cve-icon Vulnrichment

Updated: 2026-04-21T19:31:35.069Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T02:16:08.060

Modified: 2026-04-22T18:41:48.990

Link: CVE-2026-40244

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T01:30:55Z

Links: CVE-2026-40244 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:56Z

Weaknesses