SB2026042063 - Multiple vulnerabilities in OpenEXR

Security Bulletin ID SB2026042063

Severity

High

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2026-40250)

The vulnerability allows a remote attacker to corrupt the heap.

The vulnerability exists due to integer overflow or wraparound in DwaCompressor_uncompress() in internal_dwa_compressor.h when parsing a crafted DWAA/DWAB EXR file. A remote attacker can trick the victim into opening a crafted file to corrupt the heap.

User interaction is required to open a crafted file.

2) Integer overflow (CVE-ID: CVE-2026-40244)

The vulnerability allows a remote attacker to corrupt heap memory.

The vulnerability exists due to integer overflow in DWA setupChannelData planarUncRle pointer arithmetic when parsing a crafted EXR file. A remote attacker can supply a crafted DWAA/DWAB EXR file with large dimensions to corrupt heap memory.

User interaction is required to open the crafted file, and the issue is triggered on non-DCT channels, including UINT or single-channel layouts.

3) Integer overflow (CVE-ID: CVE-2026-39886)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to signed integer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp when processing a crafted HTJ2K-compressed EXR file. A remote attacker can supply a specially crafted EXR file to cause a denial of service.

On allocator-permissive hosts, the wrapped negative bytes-per-line value may be used as a per-scanline pointer advance, which could lead to a heap out-of-bounds write.

Remediation

Install update from vendor's website.

SB2026042063 - Multiple vulnerabilities in OpenEXR

Breakdown by Severity

Description

Remediation

References

Please verify you're human