PatchSiren cyber security CVE debrief
CVE-2026-40244 AcademySoftwareFoundation CVE debrief
CVE-2026-40244 is a high-severity vulnerability in OpenEXR, an image storage format used in the motion picture industry. The vulnerability affects OpenEXR versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7. The issue is caused by an integer overflow in the `internal_dwa_compressor.h` file, which can lead to potential code execution. The vulnerability has a CVSS score of 8.4 and is classified as HIGH. The OpenEXR project has released patches for this vulnerability in versions 3.4.10, 3.3.10, and 3.2.8.
- Vendor
- AcademySoftwareFoundation
- Product
- openexr
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-06-30
Who should care
Organizations using OpenEXR in their applications, particularly those in the motion picture industry, should be aware of this vulnerability and take steps to mitigate it. This includes updating to patched versions of OpenEXR and monitoring for potential exploitation attempts. Additionally, developers using OpenEXR in their projects should review the OpenEXR documentation and changelogs to ensure they are using a secure version.
Technical summary
The vulnerability is caused by an integer overflow in the `internal_dwa_compressor.h` file, specifically at line 1722. The overflow occurs when calculating `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is similar to the overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. The vulnerability has a CVSS score of 8.4 and is classified as HIGH.
Defensive priority
High priority should be given to updating OpenEXR to a patched version, as this vulnerability has the potential for code execution. Additionally, monitoring for potential exploitation attempts and reviewing OpenEXR documentation and changelogs are recommended.
Recommended defensive actions
- Update OpenEXR to version 3.4.10, 3.3.10, or 3.2.8, or later
- Monitor for potential exploitation attempts
- Review OpenEXR documentation and changelogs to ensure secure version usage
- Perform a thorough inventory of systems and applications using OpenEXR
- Implement compensating controls, such as input validation and error handling
Evidence notes
The CVE-2026-40244 vulnerability was publicly disclosed on April 21, 2026, and has since been modified on June 30, 2026. The OpenEXR project has released patches for this vulnerability in versions 3.4.10, 3.3.10, and 3.2.8. The vulnerability has a CVSS score of 8.4 and is classified as HIGH.
Official resources
-
CVE-2026-40244 CVE record
CVE.org
-
CVE-2026-40244 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.