The openexr library, used for handling EXR image files in the motion picture industry, contains an integer overflow vulnerability (CWE-190) in its DWA lossy decoder component. Specifically, from versions 3.2.0 to before 3.2.7, 3.3.0 to before 3.3.9, and 3.4.0 to before 3.4.9, the decoder uses signed 32-bit arithmetic to compute temporary per-component block pointers. For sufficiently large image widths, this calculation overflows, causing the pointer to wrap around and subsequent decoder operations to access memory outside the allocated rowBlock buffer (CWE-787). This can lead to memory corruption and potentially impact confidentiality, integrity, and availability of the decoding process. The vulnerability has been addressed in versions 3.2.7, 3.3.9, and 3.4.9.

Successful exploitation of this integer overflow can cause the decoder to perform out-of-bounds memory writes, potentially leading to memory corruption. The CVSS 4.0 vector indicates local attack vector with low complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. This could result in denial of service or other impacts depending on how the library is used. No known exploits have been reported in the wild.

This vulnerability is fixed in openexr versions 3.2.7, 3.3.9, and 3.4.9. Users and integrators of the openexr library should upgrade to one of these fixed versions to remediate the issue. Patch status is confirmed by the vendor's versioning information. No additional mitigations are indicated.