CVE-2026-39886: CWE-190: Integer Overflow or Wraparound in AcademySoftwareFoundation openexr
OpenEXR versions 3. 4. 0 through 3. 4. 9 contain a signed integer overflow vulnerability in the HTJ2K decompression code. Specifically, the function ht_undo_impl() uses a 32-bit signed integer to accumulate a bytes-per-line value without overflow protection. A specially crafted EXR file with a large number of FLOAT channels and maximum width can cause this value to overflow, leading to undefined behavior and potentially a heap out-of-bounds write on systems that allow large memory allocations. This vulnerability is fixed in version 3. 4. 10.
AI Analysis
Technical Summary
The vulnerability in AcademySoftwareFoundation's openexr (CVE-2026-39886) is a signed integer overflow in the HTJ2K decompression path, specifically in the ht_undo_impl() function in internal_ht.cpp. The 32-bit signed integer accumulator for bytes-per-line (bpl) can overflow when processing a crafted EXR file with 16,385 FLOAT channels at the maximum width of 32,767 pixels. This overflow causes the bpl value to wrap around, resulting in undefined behavior and potentially a heap out-of-bounds write if the host system permits the large memory allocation (~64 GB). This issue is distinct from a previously fixed overflow in the same function and was not addressed in earlier patches. The vulnerability is remediated in openexr version 3.4.10.
Potential Impact
The integer overflow can lead to undefined behavior and a heap out-of-bounds write, which may cause application crashes or memory corruption. The impact is limited to denial of service or potential memory corruption but does not affect confidentiality or integrity directly. Exploitation requires a crafted EXR file with extreme parameters and a host system capable of allocating very large memory, making exploitation conditions somewhat constrained.
Mitigation Recommendations
A fix for this vulnerability is available in openexr version 3.4.10. Users should upgrade to version 3.4.10 or later to remediate this issue. There is no vendor advisory explicitly stating otherwise, so patching is the recommended action. No additional mitigations are specified.
CVE-2026-39886: CWE-190: Integer Overflow or Wraparound in AcademySoftwareFoundation openexr
Description
OpenEXR versions 3. 4. 0 through 3. 4. 9 contain a signed integer overflow vulnerability in the HTJ2K decompression code. Specifically, the function ht_undo_impl() uses a 32-bit signed integer to accumulate a bytes-per-line value without overflow protection. A specially crafted EXR file with a large number of FLOAT channels and maximum width can cause this value to overflow, leading to undefined behavior and potentially a heap out-of-bounds write on systems that allow large memory allocations. This vulnerability is fixed in version 3. 4. 10.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in AcademySoftwareFoundation's openexr (CVE-2026-39886) is a signed integer overflow in the HTJ2K decompression path, specifically in the ht_undo_impl() function in internal_ht.cpp. The 32-bit signed integer accumulator for bytes-per-line (bpl) can overflow when processing a crafted EXR file with 16,385 FLOAT channels at the maximum width of 32,767 pixels. This overflow causes the bpl value to wrap around, resulting in undefined behavior and potentially a heap out-of-bounds write if the host system permits the large memory allocation (~64 GB). This issue is distinct from a previously fixed overflow in the same function and was not addressed in earlier patches. The vulnerability is remediated in openexr version 3.4.10.
Potential Impact
The integer overflow can lead to undefined behavior and a heap out-of-bounds write, which may cause application crashes or memory corruption. The impact is limited to denial of service or potential memory corruption but does not affect confidentiality or integrity directly. Exploitation requires a crafted EXR file with extreme parameters and a host system capable of allocating very large memory, making exploitation conditions somewhat constrained.
Mitigation Recommendations
A fix for this vulnerability is available in openexr version 3.4.10. Users should upgrade to version 3.4.10 or later to remediate this issue. There is no vendor advisory explicitly stating otherwise, so patching is the recommended action. No additional mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T20:32:03.011Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6d6dd19fe3cd2cd64f723
Added to database: 4/21/2026, 1:46:05 AM
Last enriched: 4/21/2026, 2:02:05 AM
Last updated: 4/21/2026, 4:39:50 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.