Description
OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, an integer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp leads to a heap-buffer overflow when decoding a crafted HTJ2K-compressed EXR file. decode->channels[i].width (int32_t) is multiplied by bytes_per_element in 32-bit signed arithmetic. With large widths (e.g., >= 536870912 for FLOAT data), this overflows, producing a corrupted offset that is later used for pointer arithmetic and can cause a heap out-of-bounds write. The same unchecked multiplication pattern appears in two other HTJ2K paths (bytes-per-line accumulation and pixel-line pointer advancement). As with related CVE-2026-34378 through CVE-2026-34589 fixes in other codecs, validating only after the multiplication is too late because the value may already be overflowed. This issue has been fixed in version 3.4.12.
Published: 2026-06-18
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow in the HTJ2K decoder of OpenEXR’s core library. During decoding of a crafted HTJ2K‑compressed EXR file, the decoder multiplies the channel width by the number of bytes per element using 32‑bit signed arithmetic. For very large widths (e.g., >= 536,870,912 bytes for FLOAT data), the multiplication overflows, producing a corrupted offset that is later used in pointer arithmetic and can cause a heap out‑of‑bounds write. This is an instance of CWE‑190 (Integer Overflow) leading to a CWE‑787 (Out‑of‑Bounds Write). The resulting heap corruption may allow an attacker to corrupt memory and potentially execute arbitrary code or cause a denial‑of‑service.

Affected Systems

The flaw affects the Academy Software Foundation OpenEXR library, versions 3.4.0 through 3.4.11. Any software or pipeline that decodes HTJ2K‑compressed EXR files—such as motion‑picture editing tools or rendering engines—running these versions is vulnerable. The issue has been fixed in OpenEXR 3.4.12; upgrading to that version or later eliminates the risk.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. Although the EPSS score is not available and the vulnerability is not listed in CISA KEV, the attack can be performed by supplying a malicious EXR file to a vulnerable decoder, which is a common pattern in file‑processing libraries. Exploitation requires that the target application uses the affected OpenEXR version to decode a crafted file; there is no requirement for privileged access. Therefore, the risk is present in environments where untrusted image files are processed.

Generated by OpenCVE AI on June 18, 2026 at 22:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OpenEXR library to version 3.4.12 or later, which contains the overflow fix.
  • If an update is not immediately possible, restrict processing of HTJ2K‑compressed EXR files to trusted sources or disable HTJ2K decoding entirely in the affected application.
  • Implement additional runtime checks on the channel width prior to decoding—reject any width that would cause width * bytes_per_element to exceed 2,147,483,647—to mitigate accidental overflow scenarios until the library can be upgraded.

Generated by OpenCVE AI on June 18, 2026 at 22:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, an integer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp leads to a heap-buffer overflow when decoding a crafted HTJ2K-compressed EXR file. decode->channels[i].width (int32_t) is multiplied by bytes_per_element in 32-bit signed arithmetic. With large widths (e.g., >= 536870912 for FLOAT data), this overflows, producing a corrupted offset that is later used for pointer arithmetic and can cause a heap out-of-bounds write. The same unchecked multiplication pattern appears in two other HTJ2K paths (bytes-per-line accumulation and pixel-line pointer advancement). As with related CVE-2026-34378 through CVE-2026-34589 fixes in other codecs, validating only after the multiplication is too late because the value may already be overflowed. This issue has been fixed in version 3.4.12.
Title OpenEXR: Integer overflow in the HTJ2K decoder leads to heap-buffer-overflow
Weaknesses CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Academysoftwarefoundation Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T20:20:15.532Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44663

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses