CVE-2026-27622

EUVD-2026-9342

03.03.2026, 23:15

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32.  overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Affected Products (NVD)

Vendor	Product	Version
openexr	openexr	𝑥 < 3.2.6
openexr	openexr	3.3.0 ≤ 𝑥 < 3.3.8
openexr	openexr	3.4.0 ≤ 𝑥 < 3.4.6

𝑥

= Vulnerable software versions

Red Hat Enterprise Linux Releases

Red Hat Product

Release

OpenEXR-devel

RHEL 8

0:2.2.0-12.el8_10.1

fixed

OpenEXR-libs

RHEL 8

0:2.2.0-12.el8_10.1

fixed

openexr

RHEL 9

0:3.1.1-3.el9_7.1

fixed

openexr-devel

RHEL 9

0:3.1.1-3.el9_7.1

fixed

openexr-libs

RHEL 9

0:3.1.1-3.el9_7.1

fixed

Known Exploits!

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963