Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
Scores
CVSS v3
7.8
EPSS
0.0025
EPSS Percentile
16.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-125
CWE-190
CWE-787
Status
published
Products (6)
AcademySoftwareFoundation/openexr
>= 3.1.0, <= 3.1.13
AcademySoftwareFoundation/openexr
>= 3.2.0, < 3.2.7
AcademySoftwareFoundation/openexr
>= 3.3.0, < 3.3.9
AcademySoftwareFoundation/openexr
>= 3.4.0, < 3.4.9
openexr/openexr
3.1.0 - 3.2.7
pypi/OpenEXR
3.1.0 - 3.2.7PyPI
Published
Apr 06, 2026
Tracked Since
Apr 06, 2026