The vulnerability CVE-2026-40244 in openexr involves an integer overflow in the calculation of image dimensions within the internal_dwa_compressor.h source file. Specifically, the product of curc->width and curc->height is computed using 32-bit signed integer arithmetic without casting to a larger type, which can cause overflow or wraparound. This flaw was overlooked in certain versions despite similar issues being fixed previously (CVE-2026-34589). The vulnerability affects multiple minor versions of openexr prior to 3.2.8, 3.3.10, and 3.4.10, where the issue has been corrected. The vulnerability has a high CVSS score of 8.4, reflecting significant potential impact if exploited.

If exploited, this integer overflow could lead to incorrect memory allocation or buffer size calculations, potentially causing memory corruption, crashes, or other undefined behavior in applications processing EXR image files using the affected openexr versions. The CVSS vector indicates local attack vector with low complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild at this time.

Users should upgrade to openexr versions 3.2.8, 3.3.10, or 3.4.10 or later, where this integer overflow issue has been fixed. Since the vendor advisory or patch availability field is not explicitly provided, confirm patch status by consulting the official AcademySoftwareFoundation openexr release notes or security advisories. No other mitigations are specified.