8.4
CVE-2026-27622
- EPSS 0.2%
- Veröffentlicht 03.03.2026 22:42:49
- Zuletzt bearbeitet 30.06.2026 03:17:56
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.101 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 8.4 | 0 | 0 |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.4 | 1.4 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-190 Integer Overflow or Wraparound
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-787 Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963
https://access.redhat.com/errata/RHSA-2026:16174
https://access.redhat.com/errata/RHSA-2026:16008
https://access.redhat.com/errata/RHSA-2026:16009
https://access.redhat.com/errata/RHSA-2026:16030
https://access.redhat.com/errata/RHSA-2026:12338
https://access.redhat.com/errata/RHSA-2026:12339
https://access.redhat.com/errata/RHSA-2026:12340
https://access.redhat.com/errata/RHSA-2026:12341
https://access.redhat.com/errata/RHSA-2026:7678
https://access.redhat.com/errata/RHSA-2026:7682
https://access.redhat.com/errata/RHSA-2026:8863
https://access.redhat.com/errata/RHSA-2026:8869
https://access.redhat.com/errata/RHSA-2026:8870
https://access.redhat.com/errata/RHSA-2026:8871
https://access.redhat.com/errata/RHSA-2026:8872
https://access.redhat.com/errata/RHSA-2026:8888
https://access.redhat.com/security/cve/CVE-2026-27622
https://bugzilla.redhat.com/show_bug.cgi?id=2444251
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27622.json