Zero Day MonitorZDM

← Back to list

—

CVE-2026-40244EXPLOITED

openexr · openexr

OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`.

Affected Products

Vendor	Product	Versions
openexr	openexr	>= 3.2.0, < 3.2.8, >= 3.3.0, < 3.3.10, >= 3.4.0, < 3.4.10

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-j526-66f6-fxhx(x_refsource_CONFIRM)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.8(x_refsource_MISC)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.10(x_refsource_MISC)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB20d ago

CVE-2026-40244 | AcademySoftwareFoundation OpenEXR up to 3.2.7/3.3.9/3.4.9 EXR File internal_dwa_compressor.h integer overflow (GHSA-j526-66f6-fxhx)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-190

PublishedApr 21, 2026

Last enriched20d agov2

Tags

CVE-2026-40244

Trending Score2

Source articles1

Independent1

Info Completeness7/14

Missing: cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-34588EXP

OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write

NONECVE-2026-42216EXP

OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion

MEDIUMCVE-2026-39886EXP

OpenEXR has HTJ2K Signed Integer Overflow in ht_undo_impl()

NONECVE-2026-40250EXP

OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

HIGHCVE-2026-34379

OpenEXR has a misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 21, 2026

Discovered by ZDM

Apr 21, 2026

Updated: severity, activelyExploited, tags

Apr 21, 2026

Actively Exploited

Apr 23, 2026

Version History

v2

Last enriched 20d ago

v2Tier C20d ago

Updated severity to CRITICAL, marked as actively exploited, and added new CVE ID CVE-2026-40244.

severityactivelyExploitedtags

via VulDB

v120d ago

Initial creation