SB2026062311 - Multiple vulnerabilities in OpenEXR



SB2026062311 - Multiple vulnerabilities in OpenEXR

Published: June 23, 2026

Security Bulletin ID SB2026062311
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Improper locking (CVE-ID: N/A)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in exr_get_chunk_table_offset() when handling write contexts before the header has been written. A local user can call the public OpenEXRCore C API in a sequence that leaves the context locked to cause a denial of service.

A later API call that attempts to acquire the same lock can block forever, resulting in a deterministic self-deadlock and process hang.


2) NULL pointer dereference (CVE-ID: CVE-2026-55371)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in exr_attr_set_bytes() and exr_attr_bytes_create() when processing a bytes attribute with a positive hint length and a NULL type_hint pointer. A local user can supply a crafted bytes attribute structure to cause a denial of service.

The issue is reachable through the public OpenEXRCore C API.


3) Integer overflow (CVE-ID: CVE-2026-55373)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow or wraparound in roundListSizeUp() in OpenEXRUtil SampleCountChannel when processing a sample count of UINT_MAX. A remote attacker can supply a UINT_MAX sample count through the public API to cause a denial of service.

The issue results in an infinite CPU loop in both the endEdit() path and the direct set(x, y, UINT_MAX) path.


4) Integer overflow (CVE-ID: CVE-2026-54920)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in OpenEXRUtil Image::resize() and Image::clearLevels() when processing crafted Imath::Box2i data window coordinates through the public API. A remote attacker can supply crafted coordinate values that trigger exception cleanup and invalid deletion of uninitialized ImageLevel pointers to cause a denial of service.

The issue is confirmed to crash the process through an invalid delete of uninitialized pointer entries during exception cleanup, while remote code execution was not confirmed.


5) Out-of-bounds write (CVE-ID: CVE-2026-55059)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds write in Imf_4_0::SampleCountChannel::set(int r, unsigned int newNumSamples[]) when processing row-based sample-count updates through the OpenEXRUtil DeepImage API. A remote attacker can trick the victim into opening a crafted file to cause a denial of service.

User interaction is required, and exploitation requires image data windows whose X and Y origins differ.


6) Reachable assertion (CVE-ID: CVE-2026-53532)

CWE-ID: CWE-617 - Reachable Assertion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to reachable assertion in param_qcd::get_irrev_delta() in the vendored OpenJPH library when parsing a crafted HTJ2K-compressed EXR file. A remote attacker can trick the victim into opening a crafted file to cause a denial of service.

The issue is triggered by a QCD marker with Sqcd & 0x1F equal to 0, causing an unconditional process abort that cannot be caught by try/catch.


Remediation

Install update from vendor's website.