8.4

CVE-2026-27622

Exploit

OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32.  overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenexrOpenexr Version < 3.2.6
OpenexrOpenexr Version >= 3.3.0 < 3.3.8
OpenexrOpenexr Version >= 3.4.0 < 3.4.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.2% 0.101
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com 8.4 0 0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.4 1.4 5.9
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963
Vendor Advisory
Exploit
https://access.redhat.com/errata/RHSA-2026:16174
https://access.redhat.com/errata/RHSA-2026:16008
https://access.redhat.com/errata/RHSA-2026:16009
https://access.redhat.com/errata/RHSA-2026:16030
https://access.redhat.com/errata/RHSA-2026:12338
https://access.redhat.com/errata/RHSA-2026:12339
https://access.redhat.com/errata/RHSA-2026:12340
https://access.redhat.com/errata/RHSA-2026:12341
https://access.redhat.com/errata/RHSA-2026:7678
https://access.redhat.com/errata/RHSA-2026:7682
https://access.redhat.com/errata/RHSA-2026:8863
https://access.redhat.com/errata/RHSA-2026:8869
https://access.redhat.com/errata/RHSA-2026:8870
https://access.redhat.com/errata/RHSA-2026:8871
https://access.redhat.com/errata/RHSA-2026:8872
https://access.redhat.com/errata/RHSA-2026:8888
https://access.redhat.com/security/cve/CVE-2026-27622
https://bugzilla.redhat.com/show_bug.cgi?id=2444251
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27622.json