PatchSiren cyber security CVE debrief
CVE-2026-44663 AcademySoftwareFoundation CVE debrief
CVE-2026-44663 is a heap-buffer overflow vulnerability in OpenEXR, a widely used image format in the motion picture industry. The vulnerability exists in the ht_undo_impl() function in src/lib/OpenEXRCore/internal_ht.cpp, where an integer overflow occurs when decoding a crafted HTJ2K-compressed EXR file. This leads to a corrupted offset used for pointer arithmetic, causing a heap out-of-bounds write. The issue has been fixed in version 3.4.12.
- Vendor
- AcademySoftwareFoundation
- Product
- openexr
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-26
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-26
Who should care
Organizations using OpenEXR versions 3.4.0 through 3.4.11 should prioritize patching to prevent potential exploitation. This includes industries relying on OpenEXR for image processing, such as motion picture and visual effects studios.
Technical summary
The vulnerability arises from an integer overflow in the ht_undo_impl() function. Specifically, the multiplication of decode->channels[i].width (int32_t) by bytes_per_element in 32-bit signed arithmetic overflows for large widths (e.g., >= 536870912 for FLOAT data). This overflow produces a corrupted offset used later for pointer arithmetic, leading to a heap out-of-bounds write. The same multiplication pattern appears in two other HTJ2K paths (bytes-per-line accumulation and pixel-line pointer advancement), also vulnerable to overflow before validation.
Defensive priority
High priority should be given to patching OpenEXR installations, especially in environments processing untrusted image files. Implementing input validation and monitoring for suspicious image processing activity can provide additional defense.
Recommended defensive actions
- Patch OpenEXR to version 3.4.12 or later
- Implement input validation for image files
- Monitor for suspicious image processing activity
- Inventory and update affected systems and software
- Consider compensating controls for environments unable to patch immediately
Evidence notes
The CVE record was published on 2026-06-18T21:16:28.767Z and has not been modified since then. The NVD entry is currently Analyzed. The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity.
Official resources
-
CVE-2026-44663 CVE record
CVE.org
-
CVE-2026-44663 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T21:16:28.767Z and has not been modified since then. The NVD entry is currently Analyzed.