CVE-2026-40244
Integer Overflow in OpenEXR DWA Compressor Affecting Image Processing
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openexr | openexr | From 3.2.0 (inc) to 3.2.8 (exc) |
| openexr | openexr | From 3.3.0 (inc) to 3.3.10 (exc) |
| openexr | openexr | From 3.4.0 (inc) to 3.4.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-40244 vulnerability in OpenEXR can lead to heap memory corruption through integer overflow in pointer arithmetic when processing crafted EXR files. This can potentially result in arbitrary code execution or denial of service, impacting the confidentiality, integrity, and availability of the affected system.
Such impacts on confidentiality, integrity, and availability could affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system reliability. However, the provided information does not explicitly discuss compliance implications or regulatory impact.
Can you explain this vulnerability to me?
CVE-2026-40244 is an integer overflow vulnerability in the OpenEXR library, specifically in the DWA (Digital Wavelet Algorithm) compression setupChannelData function. The issue occurs because the multiplication of two 32-bit signed integers, width and height of an image channel, is done without casting to a larger size type (size_t). This can cause the multiplication to overflow and wrap around, resulting in an incorrect value used as a byte offset in pointer arithmetic.
This incorrect pointer arithmetic leads to heap memory corruption during Run-Length Encoding (RLE) decoding, as the code writes through corrupted pointers referencing memory inside or before the allocated buffer. The vulnerability is a missed variant of a previously fixed integer overflow (CVE-2026-34589) and is fixed by adding explicit casts to size_t in the multiplication to prevent overflow.
How can this vulnerability impact me? :
The integer overflow can cause heap buffer corruption when processing maliciously crafted large EXR image files using DWAA or DWAB compression with very large image dimensions. This memory corruption can lead to serious security risks such as arbitrary code execution or denial of service (application crashes).
The vulnerability impacts the confidentiality, integrity, and availability of the affected system by allowing an attacker to potentially execute arbitrary code or cause the application to crash.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is an integer overflow in the OpenEXR library's DWA compression setupChannelData function, triggered by processing crafted EXR files with very large image dimensions. Detection involves identifying usage of vulnerable OpenEXR versions (3.2.0 through 3.2.7, 3.3.0 through 3.3.9, and 3.4.0 through 3.4.9) and monitoring for attempts to open or process suspiciously large DWAA or DWAB compressed EXR files.
Since the vulnerability is triggered by local processing of crafted files, network detection is limited. However, you can scan your systems for installed OpenEXR versions using package management commands or by checking the OpenEXR library version in use.
- On Linux, check installed OpenEXR version with: `dpkg -l | grep openexr` or `rpm -qa | grep openexr`
- If you have source or binaries, check the version with: `exrheader --version` or by inspecting the library metadata.
To detect exploitation attempts, monitor logs or application behavior for crashes or heap corruption when processing EXR files, especially those with DWAA/DWAB compression and large image dimensions.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the OpenEXR library to a fixed version that addresses CVE-2026-40244. Fixed versions include 3.2.8, 3.3.10, and 3.4.10.
- Upgrade OpenEXR to version 3.2.8 or later if using the 3.2.x series.
- Upgrade OpenEXR to version 3.3.10 or later if using the 3.3.x series.
- Upgrade OpenEXR to version 3.4.10 or later if using the 3.4.x series.
Until the upgrade is applied, avoid processing untrusted or suspicious EXR files, especially those using DWAA or DWAB compression with very large image dimensions, to prevent triggering the integer overflow and potential heap corruption.