CVE-2026-40244
Published: 21 April 2026
Summary
CVE-2026-40244 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Openexr Openexr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of identified flaws by patching vulnerable OpenEXR versions to fix the integer overflow in DWA compression handling.
Mandates vulnerability scanning to identify systems using affected OpenEXR library versions exposed to CVE-2026-40244.
Requires validation of untrusted inputs like EXR file dimensions to bound values and prevent integer overflows during width * height calculations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes exploitation via a crafted malicious EXR image file opened by a user in a vulnerable client application, directly enabling T1203 (Exploitation for Client Execution) and T1204.003 (Malicious Image).
NVD Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32`…
more
arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`.
Deeper analysisAI
CVE-2026-40244 is an integer overflow vulnerability (CWE-190) in the OpenEXR library, which provides the specification and reference implementation for the EXR image file format used in the motion picture industry. The flaw occurs in `internal_dwa_compressor.h` at line 1722, where the calculation `curc->width * curc->height` is performed using int32 arithmetic without a cast to `size_t`, potentially leading to overflows. It affects OpenEXR versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7. This issue follows the same overflow pattern addressed in the CVE-2026-34589 fixes but was overlooked in that batch.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating local access is required with low attack complexity, no privileges, and user interaction. An attacker can exploit it by crafting a malicious EXR file that, when opened by a local user in an application linked to a vulnerable OpenEXR version, triggers the overflow during DWA compression handling. Successful exploitation results in high integrity and availability impacts, such as application crashes or memory corruption, but no confidentiality loss.
Mitigation involves upgrading to the fixed releases: OpenEXR 3.4.10, 3.3.10, or 3.2.8, as detailed in the GitHub release notes and the security advisory GHSA-j526-66f6-fxhx. Practitioners should audit dependencies in image processing software, such as those in VFX pipelines or graphics applications, for vulnerable OpenEXR versions and apply patches promptly.
Details
- CWE(s)