2444251 – (CVE-2026-27622) CVE-2026-27622 openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing

Bug 2444251 (CVE-2026-27622) - CVE-2026-27622 openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing

Summary: CVE-2026-27622 openexr: OpenEXR: Arbitrary code execution via integer overflo...

Keywords:
Status:	NEW
Alias:	CVE-2026-27622
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2444289 2444290 2444291 2444292
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-03 23:02 UTC by OSIDB Bzimport
Modified:	2026-03-04 16:31 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-03 23:02:50 UTC

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32.  overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.

Note You need to log in before you can comment on or make changes to this bug.