OpenEXR’s readVariableLengthInteger() decodes an untrusted EXR file without bounding the shift count. After processing multiple continuation bytes, the code performs a left shift by 70 on a 64‑bit value, a shift count that is larger than the width of the operand and triggers undefined behavior. Depending on how the runtime handles this UB, the application may crash, corrupt data in memory, or exhibit unpredictable behavior, potentially compromising confidentiality, integrity, or availability of the process reading the file.

The vulnerability exists in the Academy Software Foundation’s OpenEXR library in versions 3.0.0 through 3.2.8, 3.3.0 through 3.3.10, and 3.4.0 through 3.4.10. The issue was addressed in 3.2.9, 3.3.11, and 3.4.11, which contain the necessary bounds checks for the shift operation.

The CVSS score of 6.3 indicates a medium to high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, which suggests a lower likelihood of widespread exploitation at present. However, the flaw can be triggered whenever an application loads an EXR file from an untrusted source, making it potentially exploitable in contexts where such files are accepted. Attackers would need to craft a malicious EXR file that forces the shift overflow; the impact could be a crash or memory corruption rather than immediate code execution.