SB2026040881 - Fedora 44 update for mingw-openexr

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040881

SB2026040881 - Fedora 44 update for mingw-openexr

Published: April 8, 2026

Security Bulletin ID SB2026040881
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Signed to Unsigned Conversion Error (CVE-ID: CVE-2026-26981)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to signed to unsigned conversion error in the istream_nonparallel_read function in ImfContextInit.cpp when parsing a malformed EXR file through a memory-mapped IStream. A remote attacker can supply a specially crafted EXR file to cause a denial of service.

User interaction is required to open the crafted file. Only applications using an IStream implementation where isMemoryMapped() returns true are vulnerable.


2) Integer overflow (CVE-ID: CVE-2026-27622)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to integer overflow in CompositeDeepScanLine::readPixels when parsing a crafted multipart deep EXR file. A remote attacker can supply a specially crafted file to execute arbitrary code.

User interaction is required to open or process the crafted file through multipart deep read flows using MultiPartInputFile, DeepScanLineInputPart, and CompositeDeepScanLine.


Remediation

Install update from vendor's website.

References