The vulnerability CVE-2026-27622 exists in the openexr library, which implements the EXR image file format widely used in the motion picture industry. The issue occurs in the CompositeDeepScanLine::readPixels function where per-pixel sample counts are accumulated in a vector of unsigned integers (total_sizes). An attacker can supply crafted EXR files with large sample counts that cause the accumulation to wrap modulo 2^32, resulting in an integer overflow. This overflow leads to an incorrect overall_sample_count value used to resize the samples[channel] buffer, making it undersized relative to the actual number of samples processed later. During the decoding phase, the function generic_unpack_deep_pointers writes beyond the allocated buffer boundaries, causing an out-of-bounds write (CWE-787). This memory corruption can lead to undefined behavior including crashes, data corruption, or potentially arbitrary code execution. The vulnerability affects openexr versions from 2.3.0 up to but not including 3.2.6, versions 3.3.0 up to but not including 3.3.8, and versions 3.4.0 up to but not including 3.4.6. The flaw requires user interaction (processing a malicious EXR file) but no privileges or authentication, and the attack vector is local (AV:L). The CVSS 4.0 base score is 8.4, indicating high severity with high impact on confidentiality, integrity, and availability. No public exploits are known at this time, but the vulnerability is critical for environments processing untrusted EXR files.

This vulnerability poses significant risks to organizations that utilize the openexr library for image processing, particularly in the motion picture, visual effects, and media production industries. Exploitation can lead to memory corruption, resulting in application crashes or denial of service, disrupting production workflows. More critically, the out-of-bounds write could be leveraged to execute arbitrary code, potentially allowing attackers to compromise systems, steal sensitive intellectual property, or move laterally within networks. Since openexr is often integrated into complex media pipelines and rendering software, a successful exploit could impact multiple systems and users. The requirement for user interaction (opening or processing a malicious EXR file) limits remote exploitation but does not eliminate risk, especially in environments where files are shared or imported from external sources. The vulnerability could also be used as a vector for supply chain attacks or targeted intrusions against media companies. The absence of known exploits currently provides a window for proactive mitigation.

Organizations should immediately upgrade openexr to the patched versions 3.2.6, 3.3.8, or 3.4.6 depending on their current deployment. Until patching is possible, implement strict validation and sanitization of EXR files from untrusted sources to prevent processing maliciously crafted files. Employ application whitelisting and sandboxing for image processing tools to limit the impact of potential exploitation. Monitor logs and system behavior for crashes or anomalies related to EXR file handling. Restrict file sharing and ingestion workflows to trusted partners and use secure transfer mechanisms. Conduct security awareness training for users to recognize suspicious files and avoid opening unverified EXR images. Additionally, consider deploying runtime memory protection technologies such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate exploitation impact. Finally, maintain an incident response plan tailored for media production environments to quickly address any exploitation attempts.