Integer overflow in OpenEXR - CVE-2026-27622
Published: April 8, 2026
Vulnerability identifier: #VU125325
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-27622
CWE-ID: CWE-190
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenEXR
Affected software:
OpenEXR
OpenEXR
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to integer overflow in CompositeDeepScanLine::readPixels when parsing a crafted multipart deep EXR file. A remote attacker can supply a specially crafted file to execute arbitrary code.
User interaction is required to open or process the crafted file through multipart deep read flows using MultiPartInputFile, DeepScanLineInputPart, and CompositeDeepScanLine.
How to mitigate CVE-2026-27622
Install security update from vendor's website.