OESA-2026-2180

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2180
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2180.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2180
Upstream
  • CVE-2026-40244
  • CVE-2026-40250
Published
2026-05-03T09:57:38Z
Modified
2026-05-03T10:19:02.510660Z
Summary
OpenEXR security update
Details

OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.

Security Fix(es):

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internal_dwa_compressor.h:1722 performs curc->width * curc->height in int32 arithmetic without a (size_t) cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses internal_dwa_compressor.h:1722.(CVE-2026-40244)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internal_dwa_compressor.h:1040 performs chan->width * chan->bytes_per_element in int32 arithmetic without a (size_t) cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses internal_dwa_compressor.h:1040.(CVE-2026-40250)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:24.03-LTS-SP3 / OpenEXR

Package

Name
OpenEXR
Purl
pkg:rpm/openEuler/OpenEXR&distro=openEuler-24.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.11-8.oe2403sp3

Ecosystem specific 

{
    "x86_64": [
        "OpenEXR-3.1.11-8.oe2403sp3.x86_64.rpm",
        "OpenEXR-debuginfo-3.1.11-8.oe2403sp3.x86_64.rpm",
        "OpenEXR-debugsource-3.1.11-8.oe2403sp3.x86_64.rpm",
        "OpenEXR-devel-3.1.11-8.oe2403sp3.x86_64.rpm",
        "OpenEXR-libs-3.1.11-8.oe2403sp3.x86_64.rpm"
    ],
    "src": [
        "OpenEXR-3.1.11-8.oe2403sp3.src.rpm"
    ],
    "aarch64": [
        "OpenEXR-3.1.11-8.oe2403sp3.aarch64.rpm",
        "OpenEXR-debuginfo-3.1.11-8.oe2403sp3.aarch64.rpm",
        "OpenEXR-debugsource-3.1.11-8.oe2403sp3.aarch64.rpm",
        "OpenEXR-devel-3.1.11-8.oe2403sp3.aarch64.rpm",
        "OpenEXR-libs-3.1.11-8.oe2403sp3.aarch64.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2180.json"