PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44663 AcademySoftwareFoundation CVE debrief

CVE-2026-44663 is a heap-buffer overflow vulnerability in OpenEXR, a widely used image format in the motion picture industry. The vulnerability exists in the ht_undo_impl() function in src/lib/OpenEXRCore/internal_ht.cpp, where an integer overflow occurs when decoding a crafted HTJ2K-compressed EXR file. This leads to a corrupted offset used for pointer arithmetic, causing a heap out-of-bounds write. The issue has been fixed in version 3.4.12.

Vendor
AcademySoftwareFoundation
Product
openexr
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-26
Advisory published
2026-06-18
Advisory updated
2026-06-26

Who should care

Organizations using OpenEXR versions 3.4.0 through 3.4.11 should prioritize patching to prevent potential exploitation. This includes industries relying on OpenEXR for image processing, such as motion picture and visual effects studios.

Technical summary

The vulnerability arises from an integer overflow in the ht_undo_impl() function. Specifically, the multiplication of decode->channels[i].width (int32_t) by bytes_per_element in 32-bit signed arithmetic overflows for large widths (e.g., >= 536870912 for FLOAT data). This overflow produces a corrupted offset used later for pointer arithmetic, leading to a heap out-of-bounds write. The same multiplication pattern appears in two other HTJ2K paths (bytes-per-line accumulation and pixel-line pointer advancement), also vulnerable to overflow before validation.

Defensive priority

High priority should be given to patching OpenEXR installations, especially in environments processing untrusted image files. Implementing input validation and monitoring for suspicious image processing activity can provide additional defense.

Recommended defensive actions

  • Patch OpenEXR to version 3.4.12 or later
  • Implement input validation for image files
  • Monitor for suspicious image processing activity
  • Inventory and update affected systems and software
  • Consider compensating controls for environments unable to patch immediately

Evidence notes

The CVE record was published on 2026-06-18T21:16:28.767Z and has not been modified since then. The NVD entry is currently Analyzed. The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T21:16:28.767Z and has not been modified since then. The NVD entry is currently Analyzed.