CVE-2026-40250
HIGHOpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)
Title source: cnaDescription
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m5qw-23x2-6phj
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10
Scores
CVSS v3
7.1
EPSS
0.0035
EPSS Percentile
26.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-190
Status
published
Products (4)
AcademySoftwareFoundation/openexr
>= 3.2.0, < 3.2.8
AcademySoftwareFoundation/openexr
>= 3.3.0, < 3.3.10
AcademySoftwareFoundation/openexr
>= 3.4.0, < 3.4.10
openexr/openexr
3.2.0 - 3.2.8
Published
Apr 21, 2026
Tracked Since
Apr 21, 2026