CVE-2026-45696
Received Received - Intake
Heap Buffer Overflow in OpenEXR HTJ2K Decoder

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, the HTJ2K (High-Throughput JPEG 2000) decoder, ht_undo_impl() in OpenEXRCore is vulnerable to a heap-buffer-overflow READ. The ht_undo_imp function copies decoded pixels out of a per-line OpenJPH buffer using the EXR channel's declared width as the iteration count. The codestream embedded in the EXR chunk can declare different (smaller) tile/line dimensions than the EXR header advertises, but ht_undo_impl() does not validate this β€” it pulls width 32-bit samples from cur_line->i32[] without checking the OpenJPH line buffer's actual length. A crafted EXR file produces a 4-byte heap-buffer-overflow READ immediately after a buffer allocated by ojph::local::codestream::finalize_alloc(). The bug is reachable through the standard scanline-decode entry point used by every consumer of exr_decoding_run/Imf::checkOpenEXRFile, including thumbnailers, asset pipelines, and the exrcheck utility β€” i.e. any application that opens untrusted EXR files. The result is a deterministic crash (DoS) and potential adjacent-heap leak. This issue has been fixed in version 3.4.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-45696
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openexr openexr From 3.4.0 (inc) to 3.4.11 (inc)
openexr openexr 3.4.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenEXR versions 3.4.0 through 3.4.11, specifically in the HTJ2K decoder's ht_undo_impl() function. The function copies decoded pixels from a buffer using the EXR channel's declared width without validating if the actual buffer length matches this width. A crafted EXR file can declare smaller tile or line dimensions than the header advertises, causing the function to read beyond the allocated buffer by 4 bytes. This results in a heap-buffer-overflow read, which can cause a deterministic crash or potentially leak adjacent heap memory.

Impact Analysis

The vulnerability can lead to a deterministic crash of any application that processes untrusted EXR files using the affected OpenEXR versions. This results in a denial of service (DoS). Additionally, there is a potential for leaking adjacent heap memory, which could expose sensitive information.

Mitigation Strategies

To mitigate this vulnerability, update OpenEXR to version 3.4.12 or later, where the heap-buffer-overflow issue in the HTJ2K decoder has been fixed.

Avoid opening untrusted EXR files with vulnerable versions of OpenEXR, as the flaw can be triggered by crafted EXR files leading to crashes or potential information leaks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45696. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart