Cyber Resilience

CVE-2026-41142

HighPublic PoCUpdated

Published: 07 May 2026

Published
07 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0036 27.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41142 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Openexr Openexr. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer…

more

overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap OOB write from integer overflow in image library parsing enables client-side arbitrary code execution via malicious EXR input.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40244Same product: Openexr Openexr
CVE-2026-40250Same product: Openexr Openexr
CVE-2026-34379Same product: Openexr Openexr
CVE-2026-34545Same product: Openexr Openexr
CVE-2026-34544Same product: Openexr Openexr
CVE-2026-27622Same product: Openexr Openexr
CVE-2026-34588Same product: Openexr Openexr
CVE-2025-48072Same product: Openexr Openexr
CVE-2026-34543Same product: Openexr Openexr
CVE-2026-40962Shared CWE-190

Affected Assets

openexr
openexr
3.0.0 — 3.2.9 · 3.3.0 — 3.3.11 · 3.4.0 — 3.4.11

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References