OpenEXR Image Format Allows Data Corruption and Overflow

Summary

OpenEXR, an image storage format used in the motion picture industry, has a bug that can cause data corruption and overflow when reading certain image files. This could lead to incorrect image data being displayed, potentially affecting the quality of the image. Update to version 3.2.6, 3.3.8, or 3.4.6 to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
canonical	openexr	All versions	–
canonical	openexr	All versions	–
canonical	openexr	All versions	–
canonical	openexr	All versions	–
canonical	openexr	All versions	–
canonical	openexr	All versions	–

Original title

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel tota...

Original description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.

osv CVSS4.0 8.9

osv CVSS3.1 7.8

https://ubuntu.com/security/CVE-2026-27622 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2026-27622 Third Party Advisory
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr... Third Party Advisory