CVE-2026-40244 in OpenEXRinformation

Résumé

par MITRE • 21/04/2026

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

GitHub M

Réserver

10/04/2026

Divulgation

21/04/2026

Modérer

accepté

Entrée

VDB-358384

CPE

prêt

CWE

CWE-190 (confirmé)

CVSS

6.3 (VulDB)

EPSS

0.00033

KEV

non

Activités

très faible

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-40244
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-40244
CVE Details	https://www.cvedetails.com/cve/CVE-2026-40244/

◂ Précédent Aperçu Suivant ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!