{"id":"CVE-2026-27622","summary":"OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write","details":"OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector\u003cunsigned int\u003e total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32.  overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.","aliases":["GHSA-cr4v-6jm6-4963"],"modified":"2026-04-03T17:30:22.538504601Z","published":"2026-03-03T22:42:49.086Z","related":["SUSE-SU-2026:20936-1","openSUSE-SU-2026:10303-1","openSUSE-SU-2026:20433-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-787"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27622.json"},"references":[{"type":"ADVISORY","url":"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27622.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27622"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/academysoftwarefoundation/openexr","events":[{"introduced":"0ac2ea34c8f3134148a5df4052e40f155b76f6fb"},{"fixed":"14e438dce8e6ebd03bc5564d02cfa97f9be6028a"}],"database_specific":{"versions":[{"introduced":"2.3.0"},{"fixed":"3.2.6"}]}},{"type":"GIT","repo":"https://github.com/academysoftwarefoundation/openexr","events":[{"introduced":"c7d3eac70ccde2c4ed484c6638b83ba872f71464"},{"fixed":"3fad448f2c98c70a2f6403566a664e32bbe770f8"}],"database_specific":{"versions":[{"introduced":"3.3.0"},{"fixed":"3.3.8"}]}},{"type":"GIT","repo":"https://github.com/academysoftwarefoundation/openexr","events":[{"introduced":"20a65852895894434bea88613f6d29ac8e88bd6e"},{"fixed":"d7605f5990900cff8024f1fb36ffb0912d340b52"}],"database_specific":{"versions":[{"introduced":"3.4.0"},{"fixed":"3.4.6"}]}}],"versions":["v2.3.0","v2.4.0","v2.4.0-beta.1","v2.5.0","v3.0.0-beta","v3.2.0","v3.2.0-rc","v3.2.0-rc2","v3.2.0-rc3","v3.2.0-rc4","v3.2.1","v3.2.1-rc","v3.2.2","v3.2.2-rc","v3.2.2-rc2","v3.2.3","v3.2.3-rc","v3.2.3-rc2","v3.2.4","v3.2.4-rc","v3.2.4-rc2","v3.2.5","v3.2.5-rc","v3.3.0","v3.3.0-rc2","v3.3.1","v3.3.1-rc","v3.3.2","v3.3.2-rc","v3.3.2-rc2","v3.3.2-rc3","v3.3.2-rc4","v3.3.3","v3.3.3-rc","v3.3.3-rc1","v3.3.4","v3.3.4-rc","v3.3.5","v3.3.5-rc","v3.3.5-rc3","v3.3.6","v3.3.6-rc","v3.3.6-rc2","v3.3.6-rc3","v3.3.6-rc4","v3.3.7","v3.3.7-rc","v3.3.7-rc2","v3.3.7-rc3","v3.3.7-rc4","v3.4.0","v3.4.1","v3.4.1-rc","v3.4.1-rc2","v3.4.2","v3.4.2-rc","v3.4.2-rc2","v3.4.3","v3.4.3-rc","v3.4.3-rc2","v3.4.3-rc3","v3.4.4","v3.4.4-rc","v3.4.4-rc2","v3.4.5","v3.4.5-rc","v3.4.6-rc"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27622.json","vanir_signatures":[{"target":{"file":"src/lib/OpenEXRCore/openexr_version.h"},"digest":{"line_hashes":["239338313904543462456885454604527003099","109654351193261023483294361034554114820"],"threshold":0.9},"source":"https://github.com/academysoftwarefoundation/openexr/commit/3fad448f2c98c70a2f6403566a664e32bbe770f8","id":"CVE-2026-27622-8f60c111","signature_type":"Line","deprecated":false,"signature_version":"v1"}]}},{"ranges":[{"type":"GIT","repo":"https://github.com/openexr/openexr","events":[{"introduced":"0"},{"fixed":"14e438dce8e6ebd03bc5564d02cfa97f9be6028a"},{"introduced":"c7d3eac70ccde2c4ed484c6638b83ba872f71464"},{"fixed":"3fad448f2c98c70a2f6403566a664e32bbe770f8"},{"introduced":"20a65852895894434bea88613f6d29ac8e88bd6e"},{"fixed":"d7605f5990900cff8024f1fb36ffb0912d340b52"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.2.6"},{"introduced":"3.3.0"},{"fixed":"3.3.8"},{"introduced":"3.4.0"},{"fixed":"3.4.6"}]}}],"versions":["v3.3.0","v3.3.0-rc2","v3.3.1","v3.3.1-rc","v3.3.2","v3.3.2-rc","v3.3.2-rc2","v3.3.2-rc3","v3.3.2-rc4","v3.3.3","v3.3.3-rc","v3.3.3-rc1","v3.3.4","v3.3.4-rc","v3.3.5","v3.3.5-rc","v3.3.5-rc3","v3.3.6","v3.3.6-rc","v3.3.6-rc2","v3.3.6-rc3","v3.3.6-rc4","v3.3.7","v3.3.7-rc","v3.3.7-rc2","v3.3.7-rc3","v3.3.7-rc4","v3.4.0","v3.4.1","v3.4.1-rc","v3.4.1-rc2","v3.4.2","v3.4.2-rc","v3.4.2-rc2","v3.4.3","v3.4.3-rc","v3.4.3-rc2","v3.4.3-rc3","v3.4.4","v3.4.4-rc","v3.4.4-rc2","v3.4.5","v3.4.5-rc","v3.4.6-rc"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27622.json","vanir_signatures":[{"id":"CVE-2026-27622-6ea1d6d2","digest":{"threshold":0.9,"line_hashes":["239338313904543462456885454604527003099","109654351193261023483294361034554114820"]},"source":"https://github.com/openexr/openexr/commit/3fad448f2c98c70a2f6403566a664e32bbe770f8","target":{"file":"src/lib/OpenEXRCore/openexr_version.h"},"deprecated":false,"signature_type":"Line","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}