CVE-2026-27622

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27622
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27622.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27622
Aliases
Downstream
Related
Published
2026-03-03T22:42:49.086Z
Modified
2026-04-03T17:30:22.538504601Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write
Details

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> totalsizes for attacker-controlled large counts across many parts, totalsizes[ptr] wraps modulo 2^32. overallsamplecount is then derived from wrapped totals and used in samples[channel].resize(overallsamplecount). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (genericunpackdeep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27622.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-787"
    ]
}
References

Affected packages

Git / github.com/academysoftwarefoundation/openexr

Affected ranges

Type
GIT
Repo
https://github.com/academysoftwarefoundation/openexr
Events
Introduced
0ac2ea34c8f3134148a5df4052e40f155b76f6fb
Fixed
14e438dce8e6ebd03bc5564d02cfa97f9be6028a
Database specific 
{
    "versions": [
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "3.2.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/academysoftwarefoundation/openexr
Events
Introduced
c7d3eac70ccde2c4ed484c6638b83ba872f71464
Fixed
3fad448f2c98c70a2f6403566a664e32bbe770f8
Database specific 
{
    "versions": [
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/academysoftwarefoundation/openexr
Events
Introduced
20a65852895894434bea88613f6d29ac8e88bd6e
Fixed
d7605f5990900cff8024f1fb36ffb0912d340b52
Database specific 
{
    "versions": [
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.6"
        }
    ]
}

Affected versions

v2.*
v2.3.0
v2.4.0
v2.4.0-beta.1
v2.5.0
v3.*
v3.0.0-beta
v3.2.0
v3.2.0-rc
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.2.1
v3.2.1-rc
v3.2.2
v3.2.2-rc
v3.2.2-rc2
v3.2.3
v3.2.3-rc
v3.2.3-rc2
v3.2.4
v3.2.4-rc
v3.2.4-rc2
v3.2.5
v3.2.5-rc
v3.3.0
v3.3.0-rc2
v3.3.1
v3.3.1-rc
v3.3.2
v3.3.2-rc
v3.3.2-rc2
v3.3.2-rc3
v3.3.2-rc4
v3.3.3
v3.3.3-rc
v3.3.3-rc1
v3.3.4
v3.3.4-rc
v3.3.5
v3.3.5-rc
v3.3.5-rc3
v3.3.6
v3.3.6-rc
v3.3.6-rc2
v3.3.6-rc3
v3.3.6-rc4
v3.3.7
v3.3.7-rc
v3.3.7-rc2
v3.3.7-rc3
v3.3.7-rc4
v3.4.0
v3.4.1
v3.4.1-rc
v3.4.1-rc2
v3.4.2
v3.4.2-rc
v3.4.2-rc2
v3.4.3
v3.4.3-rc
v3.4.3-rc2
v3.4.3-rc3
v3.4.4
v3.4.4-rc
v3.4.4-rc2
v3.4.5
v3.4.5-rc
v3.4.6-rc

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27622.json"
vanir_signatures 
[
    {
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "239338313904543462456885454604527003099",
                "109654351193261023483294361034554114820"
            ]
        },
        "source": "https://github.com/academysoftwarefoundation/openexr/commit/3fad448f2c98c70a2f6403566a664e32bbe770f8",
        "id": "CVE-2026-27622-8f60c111",
        "target": {
            "file": "src/lib/OpenEXRCore/openexr_version.h"
        }
    }
]

Git / github.com/openexr/openexr

Affected ranges

Type
GIT
Repo
https://github.com/openexr/openexr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
14e438dce8e6ebd03bc5564d02cfa97f9be6028a
Introduced
c7d3eac70ccde2c4ed484c6638b83ba872f71464
Fixed
3fad448f2c98c70a2f6403566a664e32bbe770f8
Introduced
20a65852895894434bea88613f6d29ac8e88bd6e
Fixed
d7605f5990900cff8024f1fb36ffb0912d340b52
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.2.6"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.8"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.6"
        }
    ]
}

Affected versions

v3.*
v3.3.0
v3.3.0-rc2
v3.3.1
v3.3.1-rc
v3.3.2
v3.3.2-rc
v3.3.2-rc2
v3.3.2-rc3
v3.3.2-rc4
v3.3.3
v3.3.3-rc
v3.3.3-rc1
v3.3.4
v3.3.4-rc
v3.3.5
v3.3.5-rc
v3.3.5-rc3
v3.3.6
v3.3.6-rc
v3.3.6-rc2
v3.3.6-rc3
v3.3.6-rc4
v3.3.7
v3.3.7-rc
v3.3.7-rc2
v3.3.7-rc3
v3.3.7-rc4
v3.4.0
v3.4.1
v3.4.1-rc
v3.4.1-rc2
v3.4.2
v3.4.2-rc
v3.4.2-rc2
v3.4.3
v3.4.3-rc
v3.4.3-rc2
v3.4.3-rc3
v3.4.4
v3.4.4-rc
v3.4.4-rc2
v3.4.5
v3.4.5-rc
v3.4.6-rc

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27622.json"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "src/lib/OpenEXRCore/openexr_version.h"
        },
        "source": "https://github.com/openexr/openexr/commit/3fad448f2c98c70a2f6403566a664e32bbe770f8",
        "deprecated": false,
        "id": "CVE-2026-27622-6ea1d6d2",
        "digest": {
            "line_hashes": [
                "239338313904543462456885454604527003099",
                "109654351193261023483294361034554114820"
            ],
            "threshold": 0.9
        }
    }
]