CVE-2026-40250

low-risk

Published 2026-04-21

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.1/10 High

LOCAL / LOW complexity

Affected Products (1)

Openexr

Affected Vendors

Openexr

References (4)

Product https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8

Product https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10

Product https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10

Mitigation https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m5...

/ 100

low-risk

Severity 22/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal