OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A 32-bit integer overflow in OpenEXR's CompositeDeepScanLine::readPixels leads to undersized heap allocations and out-of-bounds write, enabling memory corruption or RCE via crafted deep EXR files.
Vulnerability
Overview
In OpenEXR's composite deep image reading path, CompositeDeepScanLine::readPixels accumulates per-pixel sample counts into vector total_sizes using 32-bit arithmetic. An attacker can supply a multipart deep EXR file with very large sample counts across many parts, causing total_sizes[ptr] to wrap modulo 2^32. The subsequently computed overall_sample_count is therefore truncated, leading to an undersized heap buffer is allocated for samples[channel], but decode pointer setup and consumption proceed using the true (unwrapped) sample counts [1][2].
Exploitation
Details
This bug is reachable through standard high-level deep read flow: MultiPartInputFile, DeepScanLineInputPart, and CompositeDeepScanLine. The attacker can use compression features (RLE, ZIPS) of the EXR format allow the attacker to keep the file small while generating extreme decode pressure. Write operations in generic_unpack_deep_pointers (in `src/lib/OpenEXRCore/unpack.c) then write past the undersized composite sample buffer, causing a heap out-of-bounds write [1].
Impact
Successful exploitation leads to heap memory corruption, which can cause a denial of service (crash) or potentially remote code execution in applications that decode attacker-supplied deep EXR images. The vulnerable code path has existed since OpenEXR v2.3.0 [1][2].
Mitigation
The OpenEXR project has released fixed versions: v3.2.6, v3.3.8, and v3.4.6. Users should upgrade to a patched release. No workaround is available for older, unmaintained versions except to avoid processing untrusted deep EXR files [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenEXRPyPI | >= 2.3.0, < 3.2.6 | 3.2.6 |
OpenEXRPyPI | >= 3.3.0, < 3.3.8 | 3.3.8 |
OpenEXRPyPI | >= 3.4.0, < 3.4.6 | 3.4.6 |
Affected products
2- AcademySoftwareFoundation/openexrv5Range: >= 2.3.0, < 3.2.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-cr4v-6jm6-4963ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27622ghsaADVISORY
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.