Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
https://www.cve.org/CVERecord?id=CVE-2026-27622 > OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6. The usd package *does* bundle code from an affected version of OpenEXR: # Version from # pxr/imaging/plugin/hioOpenEXR/OpenEXR/OpenEXRCore/openexr_version.h # From pxr/imaging/plugin/hioOpenEXR/OpenEXR/README.md: # A few changes are still in progress to upstreamed to the OpenEXR project, # but these are minor, and otherwise, almost all differences between the # interred OpenEXRCore and the official OpenEXR repo are consolidated to the # openexr_conf.h header. The remaining differences are removing an extern # marking from the few global data tables. # This suggests that it may not be entirely safe to unbundle this. Provides: bundled(openexr) = 3.2.0 However, it turns out that the class in which the CVE bug exists is not part of the bundled subset: $ fedpkg prep $ rg CompositeLineDeepScan usd-26.03-build Therefore, the usd package is not affected.