SB2026052518 - Multiple vulnerabilities in OpenEXR

Description

This security bulletin contains information about 2 vulnerabilities.

1) Heap-based buffer overflow (CVE-ID: CVE-2026-45696)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.

The vulnerability exists due to a heap-based buffer overflow in ht_undo_impl() in OpenEXRCore when parsing a crafted EXR file containing an HTJ2K codestream with smaller line dimensions than declared in the EXR header. A remote attacker can supply a specially crafted EXR file to cause a denial of service and disclose sensitive information.

User interaction is required to open a crafted EXR file.

2) Integer overflow (CVE-ID: CVE-2026-44663)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service and modify data integrity.

The vulnerability exists due to integer overflow leading to a heap-based buffer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp when decoding a crafted HTJ2K-compressed EXR file. A remote attacker can trick the victim into opening a crafted file to cause a denial of service and modify data integrity.

User interaction is required to open a crafted file.

Remediation

Install update from vendor's website.

References

• https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-gjpj-qv64-vwhf
• https://github.com/AcademySoftwareFoundation/openexr/commit/15b620b523dd0392cf8144f2629c95db3525e2ac
• https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-777r-f9x8-7r84