CVE-2026-44663

Source
https://cve.org/CVERecord?id=CVE-2026-44663
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44663.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44663
Aliases
  • GHSA-777r-f9x8-7r84
Downstream
Related
Published
2026-06-18T20:20:15.532Z
Modified
2026-07-08T08:13:09.323913Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H CVSS Calculator
Summary
OpenEXR: Integer overflow in the HTJ2K decoder leads to heap-buffer-overflow
Details

OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, an integer overflow in htundoimpl() in src/lib/OpenEXRCore/internalht.cpp leads to a heap-buffer overflow when decoding a crafted HTJ2K-compressed EXR file. decode->channels[i].width (int32t) is multiplied by bytesperelement in 32-bit signed arithmetic. With large widths (e.g., >= 536870912 for FLOAT data), this overflows, producing a corrupted offset that is later used for pointer arithmetic and can cause a heap out-of-bounds write. The same unchecked multiplication pattern appears in two other HTJ2K paths (bytes-per-line accumulation and pixel-line pointer advancement). As with related CVE-2026-34378 through CVE-2026-34589 fixes in other codecs, validating only after the multiplication is too late because the value may already be overflowed. This issue has been fixed in version 3.4.12.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44663.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-190",
        "CWE-787"
    ]
}
References

Affected packages

Git / github.com/academysoftwarefoundation/openexr

Affected ranges

Type
GIT
Repo
https://github.com/academysoftwarefoundation/openexr
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.11"
        },
        {
            "fixed": "3.4.12"
        }
    ]
}

Affected versions

v3.*
v3.4.0
v3.4.1
v3.4.1-rc
v3.4.1-rc2
v3.4.10
v3.4.10-rc
v3.4.11-rc
v3.4.11-rc2
v3.4.2
v3.4.2-rc
v3.4.2-rc2
v3.4.3
v3.4.3-rc
v3.4.3-rc2
v3.4.3-rc3
v3.4.4
v3.4.4-rc
v3.4.4-rc2
v3.4.5
v3.4.5-rc
v3.4.6
v3.4.6-rc
v3.4.7
v3.4.7-rc
v3.4.8
v3.4.8-rc
v3.4.9
v3.4.9-rc

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44663.json"