#VU125325 Integer overflow in OpenEXR - CVE-2026-27622
Published: April 8, 2026
Vulnerability identifier: #VU125325
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-27622
CWE-ID: CWE-190
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenEXR
OpenEXR
Software vendor:
OpenEXR
OpenEXR
Description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to integer overflow in CompositeDeepScanLine::readPixels when parsing a crafted multipart deep EXR file. A remote attacker can supply a specially crafted file to execute arbitrary code.
User interaction is required to open or process the crafted file through multipart deep read flows using MultiPartInputFile, DeepScanLineInputPart, and CompositeDeepScanLine.
Remediation
Install security update from vendor's website.