Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.
Published: 2026-05-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow occurs in the ImageChannel::resize method of OpenEXR, which can lead to a heap out‑of‑bounds write when the exposed OpenEXRUtil public API is used. This results in memory corruption that may compromise the stability or confidentiality of the consuming application. The flaw is an instance of CWE‑190 and is documented with a CVSS score of 8.8, indicating a high severity.

Affected Systems

The vulnerability affects the AcademySoftwareFoundation OpenEXR library in releases 3.0.0 through 3.2.8, 3.3.0 through 3.3.10 and 3.4.0 through 3.4.10. These versions are commonly integrated into motion‑picture production workflows, compositing suites, and image‑processing tools that accept EXR files.

Risk and Exploitability

The CVSS analysis classifies the issue as high severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker can supply a carefully crafted EXR file to any application that invokes the OpenEXRUtil API; no authentication, privilege escalation or additional conditions are required, making the abuse straightforward for systems that process untrusted EXR content. The potential for severe exploitation is therefore significant for affected deployments.

Generated by OpenCVE AI on May 7, 2026 at 05:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEXR to version 3.2.9 or newer, or to 3.3.11 or 3.4.11, which contain the integer‑overflow fix.
  • Rebuild or redeploy applications that depend on OpenEXR against the patched library version to ensure the fix is in effect.
  • Restrict the processing of EXR files to trusted sources and implement input validation or sandboxing where possible to mitigate the impact of any remaining vulnerabilities.

Generated by OpenCVE AI on May 7, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.
Title OpenEXR is Vulnerable to Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Academysoftwarefoundation Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:57:59.652Z

Reserved: 2026-04-17T12:59:15.738Z

Link: CVE-2026-41142

cve-icon Vulnrichment

Updated: 2026-05-07T14:12:36.112Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-07T04:16:26.020

Modified: 2026-05-07T15:03:51.127

Link: CVE-2026-41142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:00:11Z

Weaknesses