Bug#1134642: openexr: CVE-2026-40250 CVE-2026-40244 CVE-2026-39886
Moritz Mühlenhoff
jmm at inutil.org
Wed Apr 22 16:51:43 BST 2026
Source: openexr
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for openexr.
CVE-2026-40250[0]:
| OpenEXR provides the specification and reference implementation of
| the EXR file format, an image storage format for the motion picture
| industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and
| 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs
| `chan->width * chan->bytes_per_element` in `int32` arithmetic
| without a `(size_t)` cast. This is the same overflow pattern fixed
| in other decoders by CVE-2026-34589/34588/34544, but this line was
| missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that
| addresses `internal_dwa_compressor.h:1040`.
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m5qw-23x2-6phj
https://github.com/AcademySoftwareFoundation/openexr/pull/2346
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/416fecf71241c097d52da5b219d36afd94800e69 (main)
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/42d394a7b761325a3df7c2d57f9dfd905629ca4f (v3.4.10-rc)
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/a41f0d19841469148aabf7e1e056fab9f1c3c4f0 (v3.2.8-rc)
CVE-2026-40244[1]:
| OpenEXR provides the specification and reference implementation of
| the EXR file format, an image storage format for the motion picture
| industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and
| 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs
| `curc->width * curc->height` in `int32` arithmetic without a
| `(size_t)` cast. This is the same overflow pattern fixed in other
| locations by the recent CVE-2026-34589 batch, but this line was
| missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that
| addresses `internal_dwa_compressor.h:1722`.
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m5qw-23x2-6phj
https://github.com/AcademySoftwareFoundation/openexr/pull/2346
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/416fecf71241c097d52da5b219d36afd94800e69 (main)
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/42d394a7b761325a3df7c2d57f9dfd905629ca4f (v3.4.10-rc)
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/a41f0d19841469148aabf7e1e056fab9f1c3c4f0 (v3.2.8-rc)
CVE-2026-39886[2]:
| OpenEXR provides the specification and reference implementation of
| the EXR file format, an image storage format for the motion picture
| industry. Versions 3.4.0 through 3.4.9 have a signed integer
| overflow vulnerability in OpenEXR's HTJ2K (High-Throughput JPEG
| 2000) decompression path. The `ht_undo_impl()` function in
| `src/lib/OpenEXRCore/internal_ht.cpp` accumulates a bytes-per-line
| value (`bpl`) using a 32-bit signed integer with no overflow guard.
| A crafted EXR file with 16,385 FLOAT channels at the HTJ2K maximum
| width of 32,767 causes `bpl` to overflow `INT_MAX`, producing
| undefined behavior confirmed by UBSan. On an allocator-permissive
| host where the required ~64 GB allocation succeeds, the wrapped
| negative `bpl` value would subsequently be used as a per-scanline
| pointer advance, which would produce a heap out-of-bounds write. On
| a memory-constrained host, the allocation fails before
| `ht_undo_impl()` is entered. This is the second distinct integer
| overflow in `ht_undo_impl()`. CVE-2026-34545 addressed a different
| overflow in the same function — the `int16_t p` pixel-loop counter
| at line ~302 that overflows when iterating over channels whose
| `width` exceeds 32,767. The CVE-2026-34545 fix did not touch the
| `int bpl` accumulator at line 211, which is the subject of this
| advisory. The `bpl` accumulator was also not addressed by any of the
| 8 advisories in the 2026-04-05 v3.4.9 release batch. This finding is
| structurally identical to CVE-2026-34588 (PIZ `wcount*nx` overflow
| in `internal_piz.c`) and should be remediated with the same pattern.
| The CVE-2026-34588 fix did not touch `internal_ht.cpp`. Version
| 3.4.10 contains a remediation that addresses the vulnerability in
| `internal_ht.cpp`.
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-r3mr-mx8q-jcw5
https://github.com/AcademySoftwareFoundation/openexr/pull/2345
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/15fd269f7ecb291b0c4a31be695b5a2e6b566dc0 (main)
Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/1577f226fb6644b7b63908af58c031bf3fd11649 (v3.4.10-rc)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40250
https://www.cve.org/CVERecord?id=CVE-2026-40250
[1] https://security-tracker.debian.org/tracker/CVE-2026-40244
https://www.cve.org/CVERecord?id=CVE-2026-40244
[2] https://security-tracker.debian.org/tracker/CVE-2026-39886
https://www.cve.org/CVERecord?id=CVE-2026-39886
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-phototools-devel
mailing list