CVE-2026-27622
Integer Overflow in OpenEXR readPixels Causes Buffer Overflow
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openexr | openexr | to 3.2.6 (exc) |
| openexr | openexr | From 3.3.0 (inc) to 3.3.8 (exc) |
| openexr | openexr | From 3.4.0 (inc) to 3.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
This vulnerability exists in OpenEXR's CompositeDeepScanLine::readPixels function, where per-pixel totals are accumulated in a vector of unsigned integers. An attacker can control large counts across many parts, causing the totals to wrap around modulo 2^32. This wrapping leads to an incorrect overall sample count, which is then used to resize a sample buffer to a size smaller than needed. Subsequent operations write beyond the bounds of this undersized buffer, causing a buffer overrun.
The issue is fixed in OpenEXR versions 3.2.6, 3.3.8, and 3.4.6.
How can this vulnerability impact me? :
This vulnerability can lead to a buffer overrun, which may cause application crashes, data corruption, or potentially allow an attacker to execute arbitrary code or escalate privileges within the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in OpenEXR versions 3.2.6, 3.3.8, and 3.4.6.
To mitigate this vulnerability, you should upgrade your OpenEXR installation to one of these fixed versions as soon as possible.