CVE-2026-40250 OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internaldwacompressor.h:1040 performs chan-width chan-bytesperelement in...

CVE-2026-40250

OpenEXR CVE-2026-40250 affects multiple release series (3.4.0–3.4.9, 3.3.0–3.3.9, 3.2.0–3.2.7) where internal_dwa_compressor.h:1040 computes chan->width * chan->bytes_per_element using int32 arithmetic without a size_t cast, enabling an integer overflow in the DWA decoder outBufferEnd point...

OESA-2026-1844 OpenEXR security update

OpenEXR is a high dynamic-range HDR image file format originally developed by Industrial Light Magic for use in computer imaging applications. Security Fixes: OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture...

PT-2026-30663

Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.2.0 through 3.2.6, 3.3.9, and 3.4.9 Description OpenEXR, an image storage format used in the motion picture industry, contains a flaw in the DWA lossy decoder. Specifically, the decoder uses signed 32-bit arithmetic to creat...