CVE-2026-42217: CWE-190: Integer Overflow or Wraparound in AcademySoftwareFoundation openexr
An integer overflow or wraparound vulnerability exists in the AcademySoftwareFoundation openexr library in the readVariableLengthInteger() function. This function decodes a variable-length integer from untrusted EXR input without properly bounding the shift count, leading to undefined behavior when shifting a 64-bit value by 70 bits. The issue affects versions 3. 0. 0 to before 3. 2. 9, 3. 3. 0 to before 3. 3.
AI Analysis
Technical Summary
The openexr library, used for handling EXR image files, contains a vulnerability in the readVariableLengthInteger() function where it decodes variable-length integers from untrusted input without limiting the shift count. This can cause an integer overflow or wraparound due to a left shift operation by 70 bits on a 64-bit value, which is undefined behavior. This flaw exists in multiple version ranges prior to the patched releases 3.2.9, 3.3.11, and 3.4.11. The vulnerability is classified under CWE-190 (Integer Overflow or Wraparound) and has a CVSS 4.0 score of 6.3, reflecting a medium severity. No known exploits are reported in the wild.
Potential Impact
The vulnerability may cause undefined behavior due to integer overflow or wraparound when processing crafted EXR files, potentially leading to application crashes or other unintended behavior. There is no direct evidence from the provided data of remote code execution or data corruption, but the medium severity score suggests a moderate impact on affected systems.
Mitigation Recommendations
This vulnerability has been patched in openexr versions 3.2.9, 3.3.11, and 3.4.11. Users and organizations should upgrade to these or later versions to remediate the issue. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are specified or required beyond applying the official patches.
CVE-2026-42217: CWE-190: Integer Overflow or Wraparound in AcademySoftwareFoundation openexr
Description
An integer overflow or wraparound vulnerability exists in the AcademySoftwareFoundation openexr library in the readVariableLengthInteger() function. This function decodes a variable-length integer from untrusted EXR input without properly bounding the shift count, leading to undefined behavior when shifting a 64-bit value by 70 bits. The issue affects versions 3. 0. 0 to before 3. 2. 9, 3. 3. 0 to before 3. 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The openexr library, used for handling EXR image files, contains a vulnerability in the readVariableLengthInteger() function where it decodes variable-length integers from untrusted input without limiting the shift count. This can cause an integer overflow or wraparound due to a left shift operation by 70 bits on a 64-bit value, which is undefined behavior. This flaw exists in multiple version ranges prior to the patched releases 3.2.9, 3.3.11, and 3.4.11. The vulnerability is classified under CWE-190 (Integer Overflow or Wraparound) and has a CVSS 4.0 score of 6.3, reflecting a medium severity. No known exploits are reported in the wild.
Potential Impact
The vulnerability may cause undefined behavior due to integer overflow or wraparound when processing crafted EXR files, potentially leading to application crashes or other unintended behavior. There is no direct evidence from the provided data of remote code execution or data corruption, but the medium severity score suggests a moderate impact on affected systems.
Mitigation Recommendations
This vulnerability has been patched in openexr versions 3.2.9, 3.3.11, and 3.4.11. Users and organizations should upgrade to these or later versions to remediate the issue. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are specified or required beyond applying the official patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T05:04:37.028Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fc1394cbff5d8610732760
Added to database: 5/7/2026, 4:22:44 AM
Last enriched: 5/7/2026, 4:37:42 AM
Last updated: 5/7/2026, 7:06:17 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.