CVE-2026-40250: CWE-190: Integer Overflow or Wraparound in AcademySoftwareFoundation openexr
CVE-2026-40250 is a high-severity integer overflow vulnerability in the AcademySoftwareFoundation's openexr library affecting versions 3. 2. 0 through 3. 2. 7, 3. 3. 0 through 3. 3. 9, and 3. 4.
AI Analysis
Technical Summary
OpenEXR is a widely used image storage format implementation for the motion picture industry. In affected versions of openexr, a critical integer overflow occurs in the internal_dwa_compressor.h file at line 1040 due to multiplication of chan->width and chan->bytes_per_element using int32 arithmetic without proper casting to size_t. This can lead to overflow or wraparound, potentially causing memory corruption or other undefined behavior. The vulnerability is similar to previously fixed issues (CVE-2026-34589/34588/34544) but was missed in this specific code location. Versions 3.2.8, 3.3.10, and 3.4.10 include the fix for this issue.
Potential Impact
The integer overflow can result in incorrect memory allocation or buffer sizes, potentially leading to memory corruption or crashes when processing specially crafted EXR files. Given the high CVSS score (8.4) and the nature of the vulnerability, it poses a significant risk to applications using vulnerable openexr versions, especially in local attack scenarios with low complexity. However, no known exploits have been reported in the wild so far.
Mitigation Recommendations
Users should upgrade to openexr versions 3.2.8, 3.3.10, or 3.4.10 or later, which contain the fix for this integer overflow vulnerability. Since the vendor advisory is not explicitly provided, patch status is inferred from version fixes mentioned in the description. No other mitigation or temporary workaround is indicated. Patch status is not yet confirmed by an official vendor advisory; users should verify with the AcademySoftwareFoundation for the latest remediation guidance.
CVE-2026-40250: CWE-190: Integer Overflow or Wraparound in AcademySoftwareFoundation openexr
Description
CVE-2026-40250 is a high-severity integer overflow vulnerability in the AcademySoftwareFoundation's openexr library affecting versions 3. 2. 0 through 3. 2. 7, 3. 3. 0 through 3. 3. 9, and 3. 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenEXR is a widely used image storage format implementation for the motion picture industry. In affected versions of openexr, a critical integer overflow occurs in the internal_dwa_compressor.h file at line 1040 due to multiplication of chan->width and chan->bytes_per_element using int32 arithmetic without proper casting to size_t. This can lead to overflow or wraparound, potentially causing memory corruption or other undefined behavior. The vulnerability is similar to previously fixed issues (CVE-2026-34589/34588/34544) but was missed in this specific code location. Versions 3.2.8, 3.3.10, and 3.4.10 include the fix for this issue.
Potential Impact
The integer overflow can result in incorrect memory allocation or buffer sizes, potentially leading to memory corruption or crashes when processing specially crafted EXR files. Given the high CVSS score (8.4) and the nature of the vulnerability, it poses a significant risk to applications using vulnerable openexr versions, especially in local attack scenarios with low complexity. However, no known exploits have been reported in the wild so far.
Mitigation Recommendations
Users should upgrade to openexr versions 3.2.8, 3.3.10, or 3.4.10 or later, which contain the fix for this integer overflow vulnerability. Since the vendor advisory is not explicitly provided, patch status is inferred from version fixes mentioned in the description. No other mitigation or temporary workaround is indicated. Patch status is not yet confirmed by an official vendor advisory; users should verify with the AcademySoftwareFoundation for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T17:31:45.786Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6d6dd19fe3cd2cd64f734
Added to database: 4/21/2026, 1:46:05 AM
Last enriched: 4/21/2026, 2:01:18 AM
Last updated: 4/21/2026, 2:53:11 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.