Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`.
Published: 2026-04-21
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential memory corruption due to integer overflow
Action: Immediate Patch
AI Analysis

Impact

OpenEXR's internal DWA decoder performs a 32‑bit integer multiplication that is not cast to a larger type, leading to a potential integer overflow when calculating channel size. This can corrupt memory via outBufferEnd pointer arithmetic. The vulnerability is categorized as CWE‑190.

Affected Systems

The vulnerability affects the open-source Academy Software Foundation OpenEXR library. Vulnerable releases include 3.2.0 through 3.2.7, 3.3.0 through 3.3.9, and 3.4.0 through 3.4.9. Versions 3.2.8, 3.3.10, and 3.4.10 contain the fix that properly casts the operands before the multiplication.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. The EPSS score is below 1%, indicating a low current exploitation probability. The CVE description does not provide details on how the overflow might be triggered or the precise impact, so information on exploitation methods is not available. The flaw is not listed in CISA's KEV catalog.

Generated by OpenCVE AI on April 22, 2026 at 05:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEXR to version 3.2.8, 3.3.10, or 3.4.10 or newer.
  • If an upgrade cannot occur immediately, add input‑validation checks to ensure width and bytes_per_element are within reasonable bounds before processing as a temporary precaution.
  • Where possible, isolate EXR file decoding in a sandboxed or restricted process to contain any potential memory corruption.

Generated by OpenCVE AI on April 22, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`.
Title OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:49:07.457Z

Reserved: 2026-04-10T17:31:45.786Z

Link: CVE-2026-40250

cve-icon Vulnrichment

Updated: 2026-04-21T15:53:23.620Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T02:16:08.213

Modified: 2026-04-22T18:41:57.337

Link: CVE-2026-40250

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T01:33:00Z

Links: CVE-2026-40250 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:55Z

Weaknesses