Integer Overflow Vulnerability in OpenEXR Image Format Software by Academy Software Foundation
CVE-2026-40244

8.4HIGH

Key Information:

Vendor

Academysoftwarefoundation

Status
Openexr
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40244?

The OpenEXR software, utilized for handling EXR file formats in the motion picture industry, suffers from an integer overflow vulnerability due to improper calculations in the internal_dwa_compressor.h file. Specifically, the height and width are multiplied using int32 arithmetic without a cast to (size_t), potentially leading to unexpected behavior. Versions prior to 3.4.10, 3.3.10, and 3.2.8 are affected. Users are advised to upgrade to mitigate risks associated with this oversight. Fixes addressing this issue can be found in the latest updates available.

Affected Version(s)

openexr >= 3.2.0, < 3.2.8 < 3.2.0, 3.2.8

openexr >= 3.3.0, < 3.3.10 < 3.3.0, 3.3.10

openexr >= 3.4.0, < 3.4.10 < 3.4.0, 3.4.10

References

https://github.com/AcademySoftwareFoundation/openexr/secu...
x_refsource_CONFIRM
https://github.com/AcademySoftwareFoundation/openexr/rele...
x_refsource_MISC
https://github.com/AcademySoftwareFoundation/openexr/rele...
x_refsource_MISC

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.