Heap-buffer Overflow Vulnerability in OpenEXR by Academy Software Foundation
CVE-2026-44663

6.1MEDIUM

Key Information:

Vendor: Academysoftwarefoundation
Status: Openexr
Vendor: CVE Published:; 18 June 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-44663?

The OpenEXR library, which is pivotal for handling the EXR image format in the motion picture industry, is susceptible to a heap-buffer overflow due to an integer overflow in the ht_undo_impl() function. This vulnerability is present in versions 3.4.0 to 3.4.11 and arises from the mishandling of arithmetic operations when decoding specially crafted HTJ2K-compressed EXR files. Specifically, an unchecked multiplication of channel widths can lead to a corrupted offset, resulting in potential heap out-of-bounds writes. This critical flaw in memory management highlights the need for rigorous validation of input data before processing to prevent exploitation. The issue has been addressed in version 3.4.12.

Affected Version(s)

openexr >= 3.4.0, < 3.4.11

References

https://github.com/AcademySoftwareFoundation/openexr/secu...

x_refsource_CONFIRM

https://github.com/AcademySoftwareFoundation/openexr/rele...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44663 Data

JSON