VDB
CVE-2026-40250
CVE-2026-40250
PUBLISHED
CVSS 8.399999618530273 HIGH
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`.
EPSS 0.03% · 10.1th percentile
Risk Scores
CVSS v4.0
8.399999618530273
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.03%
10.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| AcademySoftwareFoundation | openexr | >= 3.2.0, < 3.2.8, >= 3.3.0, < 3.3.10, >= 3.4.0, < 3.4.10 |
Timeline
- Apr 18, 2026 PoC Published
- Apr 21, 2026 CVE Published
- Apr 21, 2026 PoC Published
- Apr 23, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10 technical
- https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m5qw-23x2-6phj url
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8 url
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10 url