CVE-2026-27622 is an out-of-bounds write vulnerability classified under CWE-787 found in the openexr library maintained by the AcademySoftwareFoundation. OpenEXR is widely used for storing high dynamic range images in the motion picture industry. The vulnerability exists in the CompositeDeepScanLine::readPixels function, where per-pixel sample counts are accumulated in a vector<unsigned int> named total_sizes. An attacker can supply crafted EXR files with large sample counts that cause the total_sizes values to wrap around modulo 2^32 due to integer overflow. This results in an incorrect overall_sample_count that is smaller than the actual number of samples. When the samples[channel] vector is resized based on this incorrect count, it becomes undersized. Subsequently, the core unpack function generic_unpack_deep_pointers writes beyond the bounds of this undersized buffer, causing an out-of-bounds write. This memory corruption can lead to arbitrary code execution, denial of service via crashes, or data integrity issues. The vulnerability affects openexr versions >= 2.3.0 and < 3.2.6, >= 3.3.0 and < 3.3.8, and >= 3.4.0 and < 3.4.6. It was published on March 3, 2026, with a CVSS 4.0 base score of 8.4 (high severity). The vector indicates local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:A), and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild. The flaw is fixed in versions 3.2.6, 3.3.8, and 3.4.6.

This vulnerability poses a significant risk to organizations using openexr in their imaging and motion picture production pipelines. Exploitation can lead to arbitrary code execution, allowing attackers to run malicious code within the context of the vulnerable application. This can compromise confidentiality by leaking sensitive image data or intellectual property, integrity by corrupting image files or processing results, and availability by causing application crashes or denial of service. Since openexr is often integrated into complex media processing workflows, a successful exploit could disrupt production environments, delay project timelines, and result in financial losses. The requirement for user interaction and local access limits remote exploitation but does not eliminate risk, especially in environments where untrusted EXR files are processed or shared. The absence of known exploits in the wild suggests limited current threat but does not preclude future attacks once exploit code becomes available.

To mitigate this vulnerability, organizations should immediately upgrade openexr to versions 3.2.6, 3.3.8, or 3.4.6 or later where the flaw is patched. Additionally, implement strict validation and sanitization of all EXR files before processing, especially those from untrusted sources, to detect anomalous sample counts or malformed headers. Employ runtime protections such as memory safety tools (e.g., AddressSanitizer) during development and testing to detect out-of-bounds accesses. Limit the exposure of openexr processing components by restricting file input sources and enforcing least privilege principles on processes handling EXR files. Monitor logs and application behavior for crashes or suspicious activity that could indicate exploitation attempts. Finally, maintain an inventory of all software components using openexr to ensure comprehensive patching and risk assessment.