Integer Overflow Vulnerability in OpenEXR Image Format by Academy Software Foundation
CVE-2026-39886

5.3MEDIUM

Key Information:

Vendor: Academysoftwarefoundation
Status: Openexr
Vendor: CVE Published:; 21 April 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-39886?

OpenEXR, an image storage format primarily used in the motion picture industry, has a vulnerability in its HTJ2K decompression path due to a signed integer overflow. The vulnerability occurs within the ht_undo_impl() function where a bytes-per-line value (bpl) is calculated using a 32-bit signed integer without proper overflow checks. A specially crafted EXR file containing 16,385 FLOAT channels may cause the bpl to exceed the maximum integer value, leading to undefined behavior. This could result in a heap out-of-bounds write if memory allocation is successful, potentially allowing remote attackers to exploit this flaw. Users are urged to upgrade to version 3.4.10, where this issue has been addressed.

Affected Version(s)

openexr >= 3.4.0, < 3.4.10

References

https://github.com/AcademySoftwareFoundation/openexr/secu...

x_refsource_CONFIRM

https://github.com/AcademySoftwareFoundation/openexr/rele...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39886 Data

JSON