CVE-2026-40250
Received Received - Intake
Integer Overflow in OpenEXR DWA Compressor Affecting Image Processing

Publication date: 2026-04-21

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40250
EUVD
EUVD-2026-24047
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openexr openexr From 3.2.0 (inc) to 3.2.8 (exc)
openexr openexr From 3.3.0 (inc) to 3.3.10 (exc)
openexr openexr From 3.4.0 (inc) to 3.4.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40250 is a high-severity integer overflow vulnerability in the OpenEXR library's DWA decoder, specifically in the pointer arithmetic of the outBufferEnd variable within the DwaCompressor_uncompress() function in the file internal_dwa_compressor.h.

The issue occurs at line 1040, where the expression outBufferEnd += chan->width * chan->bytes_per_element; is computed using signed 32-bit integer arithmetic without casting to size_t. Here, chan->width is an int32_t derived from the EXR dataWindow header, and chan->bytes_per_element is an int8_t (typically 4 for FLOAT channels).

For large widths greater than 536,870,912, the multiplication overflows the 32-bit signed integer limit (INT32_MAX), causing the result to wrap around to a negative value. Since outBufferEnd is a uint8_t* pointer, this overflow leads to incorrect pointer advancement, causing DctCoderChannelData_push_row to store row pointers that alias earlier buffer regions.

When LossyDctDecoder_execute writes decoded pixels through these aliased pointers, it results in heap corruption. This vulnerability is a missed variant of previously fixed integer overflow patterns in similar code.

The vulnerability can be triggered by opening a crafted EXR file using DWAA/DWAB compression with a dataWindow width exceeding 537 million pixels. The suggested fix is to cast both operands to size_t in the multiplication to prevent overflow.

Impact Analysis

This vulnerability causes heap buffer corruption, enabling out-of-bounds writes during image decoding.

An attacker can exploit this by providing a crafted EXR image file with a very large width, causing the integer overflow and subsequent memory corruption.

The impact includes potential crashes, data corruption, or execution of arbitrary code within the context of the application processing the image.

The CVSS v4 base score is 8.4 (High), indicating a serious security risk with high confidentiality, integrity, and availability impacts.

Detection Guidance

This vulnerability occurs when processing crafted EXR files with DWAA/DWAB compression that have a dataWindow width exceeding 537 million pixels, causing an integer overflow in the OpenEXR DWA decoder.

Detection involves identifying if your system uses vulnerable versions of the OpenEXR library (versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7) and if any crafted EXR files with large widths are being opened or processed.

Since the vulnerability is triggered by opening maliciously crafted EXR files, you can detect attempts by monitoring file access or scanning EXR files for unusually large dataWindow widths.

Suggested commands to check the OpenEXR version installed on your system include:

  • For Linux systems, use: `exrheader --version` or check the package version with `dpkg -l | grep openexr` or `rpm -qa | grep openexr`.
  • To inspect EXR files for large dataWindow widths, you may use tools like `exrheader` to extract header information and script checks for unusually large width values.

No specific network detection commands are provided, as the vulnerability is local and triggered by opening crafted files.

Mitigation Strategies

The immediate mitigation step is to update the OpenEXR library to a fixed version that addresses this vulnerability. Versions 3.4.10, 3.3.10, and 3.2.8 contain the fix that adds proper casting to prevent the integer overflow.

If updating is not immediately possible, avoid opening or processing untrusted or crafted EXR files, especially those using DWAA/DWAB compression with large image widths.

Implement file validation or scanning to detect and block EXR files with suspiciously large dataWindow widths before processing.

Monitor and restrict user actions that involve opening EXR files from untrusted sources to reduce the risk of exploitation.

Compliance Impact

The provided information does not specify any direct impact or implications of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart