Home / Vulnerability Intelligence / CVE-2026-41142

CVE-2026-41142 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: May 7, 2026

OpenEXR - Integer Overflow

Published: May 7, 2026Updated: May 7, 2026Remote Exploitable

Overview

OpenEXR 3.0.0 to <3.2.9, 3.3.0 to <3.3.11, and 3.4.0 to <3.4.11 contain an integer overflow caused by improper bounds checking in ImageChannel::resize, letting attackers cause heap out-of-bounds write via OpenEXRUtil public API, exploit requires crafted input files.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can cause heap out-of-bounds write, potentially leading to application crash or code execution.

Mitigation

Update to versions 3.2.9, 3.3.11, or 3.4.11 or later.

References

https://github.com/AcademySoftwareFoundation/openexr/pull/2367
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m25w-72cj-q6mg
https://github.com/AcademySoftwareFoundation/openexr/commit/0592ee539f33c122c90f09238579b902d838afb4

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41142
Severity: High
CVSS Score: 8.8
Type: integer_overflow
Status: new

CWE

CWE-190

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H