CVE-2026-40250
HIGHOpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)
Title source: cnaDescription
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`.
References (4)
Scores
CVSS v3
7.1
EPSS
0.0001
EPSS Percentile
2.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Details
CWE
CWE-190
Status
published
Products (4)
AcademySoftwareFoundation/openexr
>= 3.2.0, < 3.2.8
AcademySoftwareFoundation/openexr
>= 3.3.0, < 3.3.10
AcademySoftwareFoundation/openexr
>= 3.4.0, < 3.4.10
openexr/openexr
3.2.0 - 3.2.8
Published
Apr 21, 2026
Tracked Since
Apr 21, 2026