CVE-2026-27622
Published: 03 March 2026
Summary
CVE-2026-27622 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Openexr Openexr. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely identification, reporting, and patching of the buffer overflow flaw in vulnerable OpenEXR versions.
Requires validation of EXR file inputs to detect and reject malformed files with attacker-controlled large counts that trigger integer wraparound and undersized buffer allocation.
Implements memory protections such as DEP and ASLR to mitigate exploitation of the buffer overrun even if the vulnerable OpenEXR code is executed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in OpenEXR image library enables arbitrary code execution when a user opens a malformed EXR file in a vulnerable client application, directly mapping to exploitation for client execution via malicious file.
NVD Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps…
more
modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
Deeper analysisAI
CVE-2026-27622 is a buffer overflow vulnerability (CWE-787) in the OpenEXR library, the reference implementation and specification for the EXR image file format widely used in the motion picture industry. The issue occurs in the CompositeDeepScanLine::readPixels function, where per-pixel totals accumulated in a vector<unsigned int> total_sizes wrap around modulo 2^32 due to attacker-controlled large counts across many parts. This leads to an underestimated overall_sample_count, causing samples[channel].resize to allocate an undersized buffer, which is later overrun during decode pointer setup and write operations in generic_unpack_deep_pointers.
The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating local access with low attack complexity, no privileges required, and user interaction needed. A local attacker can exploit it by supplying a malformed EXR file that tricks a user into processing it via an application using vulnerable OpenEXR versions, potentially achieving arbitrary code execution with high impacts on confidentiality, integrity, and availability through the buffer overrun.
The GitHub Security Advisory (GHSA-cr4v-6jm6-4963) confirms the vulnerability and states it is fixed in OpenEXR versions v3.2.6, v3.3.8, and v3.4.6. Security practitioners should update affected OpenEXR deployments to these patched releases and validate EXR file inputs where possible to mitigate risks from untrusted sources.
Details
- CWE(s)