{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40244", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T17:31:45.786Z", "datePublished": "2026-04-21T01:30:55.061Z", "dateUpdated": "2026-04-21T19:31:39.166Z"}, "containers": {"cna": {"title": "OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-j526-66f6-fxhx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-j526-66f6-fxhx"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10"}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "openexr", "versions": [{"version": ">= 3.2.0, < 3.2.8", "status": "affected"}, {"version": ">= 3.3.0, < 3.3.10", "status": "affected"}, {"version": ">= 3.4.0, < 3.4.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:30:55.061Z"}, "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`."}], "source": {"advisory": "GHSA-j526-66f6-fxhx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:31:28.623125Z", "id": "CVE-2026-40244", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:31:39.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40244", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T19:31:28.623125Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:31:35.069Z"}}], "cna": {"title": "OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)", "source": {"advisory": "GHSA-j526-66f6-fxhx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "openexr", "versions": [{"status": "affected", "version": ">= 3.2.0, < 3.2.8"}, {"status": "affected", "version": ">= 3.3.0, < 3.3.10"}, {"status": "affected", "version": ">= 3.4.0, < 3.4.10"}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-j526-66f6-fxhx", "name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-j526-66f6-fxhx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8", "name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10", "name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10", "name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:30:55.061Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40244", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:31:39.166Z", "dateReserved": "2026-04-10T17:31:45.786Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T01:30:55.061Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "matchCriteriaId": "AF3B98B2-5B06-4927-AA98-D71452BE771B", "versionEndExcluding": "3.2.8", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "matchCriteriaId": "1364DD64-2F48-496E-B9B8-B8D948592254", "versionEndExcluding": "3.3.10", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AEDBB28-BFC6-427E-977B-A26211BC5724", "versionEndExcluding": "3.4.10", "versionStartIncluding": "3.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`."}], "id": "CVE-2026-40244", "lastModified": "2026-04-22T18:41:48.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T02:16:08.060", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-j526-66f6-fxhx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.10)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "openexr", "source": "cna", "vendor": "AcademySoftwareFoundation"}, "product": "openexr", "vendor": "academysoftwarefoundation"}], "analysis": {"en": {"generated_at": "2026-04-21T15:31:08.914214+00:00", "value": {"mitigation_remediation": ["Update OpenEXR to version 3.4.10, 3.3.10, or 3.2.8 (or later) to apply the fix", "Configure applications to reject or sandbox processing of untrusted EXR files until the library is updated", "If immediate upgrade is impossible, disable DWA compression or manually patch the internal_dwa_compressor.h source to reject sizes that would overflow"], "summary": {"action": "Immediate Patch", "impact": "Integer overflow leading to potential memory corruption and arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The Academy Software Foundation\u2019s OpenEXR library versions 3.2.0 to 3.2.7, 3.3.0 to 3.3.9, and 3.4.0 to 3.4.9 are vulnerable. The fix is included in releases 3.2.8, 3.3.10, and 3.4.10.", "description_and_impact": "OpenEXR performs curc->width*curc->height in internal_dwa_compressor.h:1722 using 32\u2011bit signed arithmetic without a cast, causing an integer overflow that miscalculates the buffer size for DWA compression. This overflow can result in writes beyond the allocated buffer, enabling an attacker who can supply a crafted EXR file to corrupt memory or potentially execute arbitrary code. The weakness is labeled CWE\u2011190.", "risk_and_exploitability": "With a CVSS score of 8.4 the vulnerability is high severity. The EPSS score is not available, so exact exploit probability cannot be assessed, and the vulnerability is not listed in CISA KEV, indicating no known public exploitation. The vulnerable code is invoked when parsing EXR files, so the likely attack vector involves a malicious image supplied to the application. If the application runs with elevated privileges, the potential impact extends to full system compromise."}}}}, "created": "2026-04-21T15:37:55.177755+00:00", "updated": "2026-04-22T11:46:56.796784+00:00", "vendors": ["academysoftwarefoundation", "academysoftwarefoundation$PRODUCT$openexr"]}