{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39886", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T20:32:03.011Z", "datePublished": "2026-04-21T01:27:01.371Z", "dateUpdated": "2026-04-21T13:49:21.573Z"}, "containers": {"cna": {"title": "OpenEXR has HTJ2K Signed Integer Overflow in ht_undo_impl()", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-r3mr-mx8q-jcw5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-r3mr-mx8q-jcw5"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10"}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "openexr", "versions": [{"version": ">= 3.4.0, < 3.4.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:27:01.371Z"}, "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Versions 3.4.0 through 3.4.9 have a signed integer overflow vulnerability in OpenEXR's HTJ2K (High-Throughput JPEG 2000) decompression path. The `ht_undo_impl()` function in `src/lib/OpenEXRCore/internal_ht.cpp` accumulates a bytes-per-line value (`bpl`) using a 32-bit signed integer with no overflow guard. A crafted EXR file with 16,385 FLOAT channels at the HTJ2K maximum width of 32,767 causes `bpl` to overflow `INT_MAX`, producing undefined behavior confirmed by UBSan. On an\nallocator-permissive host where the required ~64 GB allocation succeeds, the wrapped negative `bpl` value would subsequently be used as a per-scanline pointer advance, which would produce a heap out-of-bounds write. On a memory-constrained host, the allocation fails before `ht_undo_impl()` is entered. This is the second distinct integer overflow in `ht_undo_impl()`. CVE-2026-34545 addressed a different overflow in the same function \u2014 the `int16_t p` pixel-loop counter at line ~302 that overflows when iterating over channels whose `width` exceeds 32,767. The CVE-2026-34545 fix did not touch the `int bpl` accumulator at line 211, which is the subject of this advisory. The `bpl` accumulator was also not addressed by any of the 8 advisories in the 2026-04-05 v3.4.9 release batch. This finding is structurally identical to CVE-2026-34588 (PIZ `wcount*nx` overflow in `internal_piz.c`) and should be remediated with the same pattern. The CVE-2026-34588 fix did not touch `internal_ht.cpp`. Version 3.4.10 contains a remediation that addresses the vulnerability in `internal_ht.cpp`."}], "source": {"advisory": "GHSA-r3mr-mx8q-jcw5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T13:49:09.656578Z", "id": "CVE-2026-39886", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:49:21.573Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39886", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T13:49:09.656578Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:49:17.578Z"}}], "cna": {"title": "OpenEXR has HTJ2K Signed Integer Overflow in ht_undo_impl()", "source": {"advisory": "GHSA-r3mr-mx8q-jcw5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "openexr", "versions": [{"status": "affected", "version": ">= 3.4.0, < 3.4.10"}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-r3mr-mx8q-jcw5", "name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-r3mr-mx8q-jcw5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10", "name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Versions 3.4.0 through 3.4.9 have a signed integer overflow vulnerability in OpenEXR's HTJ2K (High-Throughput JPEG 2000) decompression path. The `ht_undo_impl()` function in `src/lib/OpenEXRCore/internal_ht.cpp` accumulates a bytes-per-line value (`bpl`) using a 32-bit signed integer with no overflow guard. A crafted EXR file with 16,385 FLOAT channels at the HTJ2K maximum width of 32,767 causes `bpl` to overflow `INT_MAX`, producing undefined behavior confirmed by UBSan. On an\nallocator-permissive host where the required ~64 GB allocation succeeds, the wrapped negative `bpl` value would subsequently be used as a per-scanline pointer advance, which would produce a heap out-of-bounds write. On a memory-constrained host, the allocation fails before `ht_undo_impl()` is entered. This is the second distinct integer overflow in `ht_undo_impl()`. CVE-2026-34545 addressed a different overflow in the same function \u2014 the `int16_t p` pixel-loop counter at line ~302 that overflows when iterating over channels whose `width` exceeds 32,767. The CVE-2026-34545 fix did not touch the `int bpl` accumulator at line 211, which is the subject of this advisory. The `bpl` accumulator was also not addressed by any of the 8 advisories in the 2026-04-05 v3.4.9 release batch. This finding is structurally identical to CVE-2026-34588 (PIZ `wcount*nx` overflow in `internal_piz.c`) and should be remediated with the same pattern. The CVE-2026-34588 fix did not touch `internal_ht.cpp`. Version 3.4.10 contains a remediation that addresses the vulnerability in `internal_ht.cpp`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:27:01.371Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39886", "state": "PUBLISHED", "dateUpdated": "2026-04-21T13:49:21.573Z", "dateReserved": "2026-04-07T20:32:03.011Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T01:27:01.371Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AEDBB28-BFC6-427E-977B-A26211BC5724", "versionEndExcluding": "3.4.10", "versionStartIncluding": "3.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Versions 3.4.0 through 3.4.9 have a signed integer overflow vulnerability in OpenEXR's HTJ2K (High-Throughput JPEG 2000) decompression path. The `ht_undo_impl()` function in `src/lib/OpenEXRCore/internal_ht.cpp` accumulates a bytes-per-line value (`bpl`) using a 32-bit signed integer with no overflow guard. A crafted EXR file with 16,385 FLOAT channels at the HTJ2K maximum width of 32,767 causes `bpl` to overflow `INT_MAX`, producing undefined behavior confirmed by UBSan. On an\nallocator-permissive host where the required ~64 GB allocation succeeds, the wrapped negative `bpl` value would subsequently be used as a per-scanline pointer advance, which would produce a heap out-of-bounds write. On a memory-constrained host, the allocation fails before `ht_undo_impl()` is entered. This is the second distinct integer overflow in `ht_undo_impl()`. CVE-2026-34545 addressed a different overflow in the same function \u2014 the `int16_t p` pixel-loop counter at line ~302 that overflows when iterating over channels whose `width` exceeds 32,767. The CVE-2026-34545 fix did not touch the `int bpl` accumulator at line 211, which is the subject of this advisory. The `bpl` accumulator was also not addressed by any of the 8 advisories in the 2026-04-05 v3.4.9 release batch. This finding is structurally identical to CVE-2026-34588 (PIZ `wcount*nx` overflow in `internal_piz.c`) and should be remediated with the same pattern. The CVE-2026-34588 fix did not touch `internal_ht.cpp`. Version 3.4.10 contains a remediation that addresses the vulnerability in `internal_ht.cpp`."}], "id": "CVE-2026-39886", "lastModified": "2026-04-22T18:41:18.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T02:16:07.753", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-r3mr-mx8q-jcw5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "OpenEXR: OpenEXR: Signed integer overflow in HTJ2K decompression can lead to denial of service.", "id": "2459960", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459960"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in OpenEXR, an image storage format for the motion picture industry. A remote attacker could exploit a signed integer overflow vulnerability in the HTJ2K (High-Throughput JPEG 2000) decompression path by providing a specially crafted EXR file. This flaw causes an internal bytes-per-line value to overflow, leading to undefined behavior. In certain environments, this could result in a heap out-of-bounds write, potentially causing a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-39886", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "openexr", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "openexr", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-21T01:27:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-39886\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39886\nhttps://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10\nhttps://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-r3mr-mx8q-jcw5"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.10)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "openexr", "source": "cna", "vendor": "AcademySoftwareFoundation"}, "product": "openexr", "vendor": "academysoftwarefoundation"}], "analysis": {"en": {"generated_at": "2026-04-21T15:31:38.451249+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEXR to version 3.4.10 or later, which contains the required fix for the integer overflow in internal_ht.cpp.", "Rebuild or relink any applications that statically link to OpenEXR with the updated library binary.", "Restart services or applications that load the library to ensure the patched version is in use."], "summary": {"action": "Apply Patch", "impact": "Heap Out\u2011Of\u2011Bounds Write leading to memory corruption"}, "threat_synthesis": {"affected_systems": "All installations of the AcademySoftwareFoundation OpenEXR library version 3.4.0 through 3.4.9 are vulnerable. Version 3.4.10 and later contain a remediation that addresses the integer overflow in internal_ht.cpp and removes the risk discussed here.", "description_and_impact": "The flaw is a signed integer overflow in the ht_undo_impl() function of OpenEXR\u2019s HTJ2K decompression path. When a crafted EXR file containing 16,385 FLOAT channels at the maximum width of 32,767 is processed, the 32\u2011bit signed counter for bytes\u2011per\u2011line overflows, turning into a negative value. That negative value is then used to advance a per\u2011scanline pointer, producing a heap out\u2011of\u2011bounds write. The overflow is type CWE\u2011190 and can lead to memory corruption that, if exploited, could compromise application integrity or enable arbitrary code execution.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known public exploitation at this time. An attacker would need to supply a specifically crafted EXR file, and the host must have sufficient memory for a ~64\u202fGB allocation to trigger the overflow; on memory\u2011constrained hosts the allocation fails before the vulnerable code is reached. While the conditions reduce exploitation likelihood, the potential impact warrants timely mitigation."}}}}, "created": "2026-04-21T15:37:55.178003+00:00", "updated": "2026-04-22T11:46:57.988740+00:00", "vendors": ["academysoftwarefoundation", "academysoftwarefoundation$PRODUCT$openexr"]}