Integer overflow in OpenEXR - CVE-2026-54920
Published: June 23, 2026
OpenEXR
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow in OpenEXRUtil Image::resize() and Image::clearLevels() when processing crafted Imath::Box2i data window coordinates through the public API. A remote attacker can supply crafted coordinate values that trigger exception cleanup and invalid deletion of uninitialized ImageLevel pointers to cause a denial of service.
The issue is confirmed to crash the process through an invalid delete of uninitialized pointer entries during exception cleanup, while remote code execution was not confirmed.