{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "2.3.0" }, { "fixed": "3.2.6" } ] }, "events": [ { "introduced": "0ac2ea34c8f3134148a5df4052e40f155b76f6fb" }, { "fixed": "14e438dce8e6ebd03bc5564d02cfa97f9be6028a" } ], "repo": "https://github.com/academysoftwarefoundation/openexr", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "3.3.0" }, { "fixed": "3.3.8" } ] }, "events": [ { "introduced": "c7d3eac70ccde2c4ed484c6638b83ba872f71464" }, { "fixed": "3fad448f2c98c70a2f6403566a664e32bbe770f8" } ], "repo": "https://github.com/academysoftwarefoundation/openexr", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "3.4.0" }, { "fixed": "3.4.6" } ] }, "events": [ { "introduced": "20a65852895894434bea88613f6d29ac8e88bd6e" }, { "fixed": "d7605f5990900cff8024f1fb36ffb0912d340b52" } ], "repo": "https://github.com/academysoftwarefoundation/openexr", "type": "GIT" } ] }, { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "3.2.6" }, { "introduced": "3.3.0" }, { "fixed": "3.3.8" }, { "introduced": "3.4.0" }, { "fixed": "3.4.6" } ] }, "events": [ { "introduced": "0" }, { "fixed": "14e438dce8e6ebd03bc5564d02cfa97f9be6028a" }, { "introduced": "c7d3eac70ccde2c4ed484c6638b83ba872f71464" }, { "fixed": "3fad448f2c98c70a2f6403566a664e32bbe770f8" }, { "introduced": "20a65852895894434bea88613f6d29ac8e88bd6e" }, { "fixed": "d7605f5990900cff8024f1fb36ffb0912d340b52" } ], "repo": "https://github.com/openexr/openexr", "type": "GIT" } ] } ], "aliases": [ "GHSA-cr4v-6jm6-4963" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-787" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27622.json" }, "details": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector\u003cunsigned int\u003e total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.", "id": "CVE-2026-27622", "modified": "2026-03-11T21:48:32.175131748Z", "published": "2026-03-03T22:42:49.086Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27622.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write" }