PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40244 AcademySoftwareFoundation CVE debrief

CVE-2026-40244 is a high-severity vulnerability in OpenEXR, an image storage format used in the motion picture industry. The vulnerability affects OpenEXR versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7. The issue is caused by an integer overflow in the `internal_dwa_compressor.h` file, which can lead to potential code execution. The vulnerability has a CVSS score of 8.4 and is classified as HIGH. The OpenEXR project has released patches for this vulnerability in versions 3.4.10, 3.3.10, and 3.2.8.

Vendor
AcademySoftwareFoundation
Product
openexr
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-21
Original CVE updated
2026-06-30
Advisory published
2026-04-21
Advisory updated
2026-06-30

Who should care

Organizations using OpenEXR in their applications, particularly those in the motion picture industry, should be aware of this vulnerability and take steps to mitigate it. This includes updating to patched versions of OpenEXR and monitoring for potential exploitation attempts. Additionally, developers using OpenEXR in their projects should review the OpenEXR documentation and changelogs to ensure they are using a secure version.

Technical summary

The vulnerability is caused by an integer overflow in the `internal_dwa_compressor.h` file, specifically at line 1722. The overflow occurs when calculating `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is similar to the overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. The vulnerability has a CVSS score of 8.4 and is classified as HIGH.

Defensive priority

High priority should be given to updating OpenEXR to a patched version, as this vulnerability has the potential for code execution. Additionally, monitoring for potential exploitation attempts and reviewing OpenEXR documentation and changelogs are recommended.

Recommended defensive actions

  • Update OpenEXR to version 3.4.10, 3.3.10, or 3.2.8, or later
  • Monitor for potential exploitation attempts
  • Review OpenEXR documentation and changelogs to ensure secure version usage
  • Perform a thorough inventory of systems and applications using OpenEXR
  • Implement compensating controls, such as input validation and error handling

Evidence notes

The CVE-2026-40244 vulnerability was publicly disclosed on April 21, 2026, and has since been modified on June 30, 2026. The OpenEXR project has released patches for this vulnerability in versions 3.4.10, 3.3.10, and 3.2.8. The vulnerability has a CVSS score of 8.4 and is classified as HIGH.

Official resources

This article was generated with AI assistance based on the supplied source corpus.