CVE-2026-40250
Integer Overflow in OpenEXR DWA Compressor Affecting Image Processing
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openexr | openexr | From 3.2.0 (inc) to 3.2.8 (exc) |
| openexr | openexr | From 3.3.0 (inc) to 3.3.10 (exc) |
| openexr | openexr | From 3.4.0 (inc) to 3.4.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40250 is a high-severity integer overflow vulnerability in the OpenEXR library's DWA decoder, specifically in the pointer arithmetic of the outBufferEnd variable within the DwaCompressor_uncompress() function in the file internal_dwa_compressor.h.
The issue occurs at line 1040, where the expression outBufferEnd += chan->width * chan->bytes_per_element; is computed using signed 32-bit integer arithmetic without casting to size_t. Here, chan->width is an int32_t derived from the EXR dataWindow header, and chan->bytes_per_element is an int8_t (typically 4 for FLOAT channels).
For large widths greater than 536,870,912, the multiplication overflows the 32-bit signed integer limit (INT32_MAX), causing the result to wrap around to a negative value. Since outBufferEnd is a uint8_t* pointer, this overflow leads to incorrect pointer advancement, causing DctCoderChannelData_push_row to store row pointers that alias earlier buffer regions.
When LossyDctDecoder_execute writes decoded pixels through these aliased pointers, it results in heap corruption. This vulnerability is a missed variant of previously fixed integer overflow patterns in similar code.
The vulnerability can be triggered by opening a crafted EXR file using DWAA/DWAB compression with a dataWindow width exceeding 537 million pixels. The suggested fix is to cast both operands to size_t in the multiplication to prevent overflow.
How can this vulnerability impact me? :
This vulnerability causes heap buffer corruption, enabling out-of-bounds writes during image decoding.
An attacker can exploit this by providing a crafted EXR image file with a very large width, causing the integer overflow and subsequent memory corruption.
The impact includes potential crashes, data corruption, or execution of arbitrary code within the context of the application processing the image.
The CVSS v4 base score is 8.4 (High), indicating a serious security risk with high confidentiality, integrity, and availability impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when processing crafted EXR files with DWAA/DWAB compression that have a dataWindow width exceeding 537 million pixels, causing an integer overflow in the OpenEXR DWA decoder.
Detection involves identifying if your system uses vulnerable versions of the OpenEXR library (versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7) and if any crafted EXR files with large widths are being opened or processed.
Since the vulnerability is triggered by opening maliciously crafted EXR files, you can detect attempts by monitoring file access or scanning EXR files for unusually large dataWindow widths.
Suggested commands to check the OpenEXR version installed on your system include:
- For Linux systems, use: `exrheader --version` or check the package version with `dpkg -l | grep openexr` or `rpm -qa | grep openexr`.
- To inspect EXR files for large dataWindow widths, you may use tools like `exrheader` to extract header information and script checks for unusually large width values.
No specific network detection commands are provided, as the vulnerability is local and triggered by opening crafted files.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the OpenEXR library to a fixed version that addresses this vulnerability. Versions 3.4.10, 3.3.10, and 3.2.8 contain the fix that adds proper casting to prevent the integer overflow.
If updating is not immediately possible, avoid opening or processing untrusted or crafted EXR files, especially those using DWAA/DWAB compression with large image widths.
Implement file validation or scanning to detect and block EXR files with suspiciously large dataWindow widths before processing.
Monitor and restrict user actions that involve opening EXR files from untrusted sources to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact or implications of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.