Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-j526-66f6-fxhx
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10
Scores
CVSS v3
7.1
EPSS
0.0035
EPSS Percentile
26.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-190
Status
published
Products (4)
AcademySoftwareFoundation/openexr
>= 3.2.0, < 3.2.8
AcademySoftwareFoundation/openexr
>= 3.3.0, < 3.3.10
AcademySoftwareFoundation/openexr
>= 3.4.0, < 3.4.10
openexr/openexr
3.2.0 - 3.2.8
Published
Apr 21, 2026
Tracked Since
Apr 21, 2026