CVE-2026-44663
Received Received - Intake
Heap Buffer Overflow in OpenEXR HTJ2K Decoder

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, an integer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp leads to a heap-buffer overflow when decoding a crafted HTJ2K-compressed EXR file. decode->channels[i].width (int32_t) is multiplied by bytes_per_element in 32-bit signed arithmetic. With large widths (e.g., >= 536870912 for FLOAT data), this overflows, producing a corrupted offset that is later used for pointer arithmetic and can cause a heap out-of-bounds write. The same unchecked multiplication pattern appears in two other HTJ2K paths (bytes-per-line accumulation and pixel-line pointer advancement). As with related CVE-2026-34378 through CVE-2026-34589 fixes in other codecs, validating only after the multiplication is too late because the value may already be overflowed. This issue has been fixed in version 3.4.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-44663
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openexr openexr From 3.4.0 (inc) to 3.4.11 (inc)
openexr openexr 3.4.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenEXR versions 3.4.0 through 3.4.11, specifically in the ht_undo_impl() function within the internal_ht.cpp file. It involves an integer overflow during the decoding of a crafted HTJ2K-compressed EXR file. The issue arises because the width of image channels (an int32_t value) is multiplied by the bytes per element using 32-bit signed arithmetic. When the width is very large (for example, 536870912 or more for FLOAT data), this multiplication overflows, resulting in a corrupted offset.

This corrupted offset is then used in pointer arithmetic, which can cause a heap-buffer overflow, leading to a heap out-of-bounds write. Similar unchecked multiplication patterns exist in other HTJ2K decoding paths, making the problem more widespread. The vulnerability has been fixed in OpenEXR version 3.4.12.

Impact Analysis

The vulnerability can lead to a heap-buffer overflow when decoding specially crafted HTJ2K-compressed EXR files. This can cause memory corruption, which may be exploited to crash the application or potentially execute arbitrary code. The CVSS score indicates a moderate severity with a base score of 6.1, highlighting that the impact includes a high potential for availability disruption (denial of service) and some integrity loss, but no confidentiality impact.

Mitigation Strategies

The vulnerability in OpenEXR versions 3.4.0 through 3.4.11 is fixed in version 3.4.12.

To mitigate this vulnerability, you should immediately upgrade OpenEXR to version 3.4.12 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart