CVE-2026-40250
Published: 21 April 2026
Summary
CVE-2026-40250 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Openexr Openexr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the integer overflow flaw in OpenEXR by applying patches from fixed versions 3.2.8, 3.3.10, and 3.4.10.
Provides vulnerability scanning to identify systems running vulnerable OpenEXR versions affected by this integer overflow CVE.
Mandates validation of EXR file inputs like channel width and bytes_per_element to avert overflows in the DWA compressor arithmetic.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The integer overflow in OpenEXR enables memory corruption and arbitrary code execution when a crafted malicious EXR file is processed by a vulnerable application; this directly maps to exploitation for client execution (T1203) and is facilitated by tricking a user into opening/processing the malicious file (T1204.002).
NVD Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32`…
more
arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`.
Deeper analysisAI
CVE-2026-40250 is an integer overflow vulnerability (CWE-190) in the OpenEXR library, the reference implementation and specification for the EXR image file format widely used in the motion picture industry. The flaw affects versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, specifically in the file internal_dwa_compressor.h at line 1040. There, the computation chan->width * chan->bytes_per_element uses int32 arithmetic without a cast to size_t, enabling an overflow. This follows the same pattern previously fixed in other decoders by CVE-2026-34589, CVE-2026-34588, and CVE-2026-34544, but was missed in this instance.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H). Local attackers with no privileges required can exploit it with low complexity by tricking users into processing a crafted malicious EXR file via an application linked to the vulnerable OpenEXR library. Successful exploitation enables high-impact integrity and availability effects, such as memory corruption, arbitrary code execution, or denial of service, while confidentiality remains unaffected.
Mitigation is provided in OpenEXR releases 3.4.10, 3.3.10, and 3.2.8, which address the overflow at internal_dwa_compressor.h:1040. Security advisories and release notes, including GitHub security advisory GHSA-m5qw-23x2-6phj, recommend updating to these fixed versions in all dependent software to prevent exploitation.
Details
- CWE(s)