{"url":"http://public2.vulnerablecode.io/api/packages/74400?format=json","purl":"pkg:pypi/openexr@3.4.6","type":"pypi","namespace":"","name":"openexr","version":"3.4.6","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50521?format=json","vulnerability_id":"VCID-qn33-asyh-y3hw","summary":"OpenEXR's CompositeDeepScanLine integer-overflow leads to heap OOB write\nFunction: `CompositeDeepScanLine::readPixels`, reachable from high-level multipart deep read flows (`MultiPartInputFile` + `DeepScanLineInputPart` + `CompositeDeepScanLine`).\n\nVulnerable lines (`src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp`):\n- `total_sizes[ptr] += counts[j][ptr];` (line ~511)\n- `overall_sample_count += total_sizes[ptr];` (line ~514)\n- `samples[channel].resize (overall_sample_count);` (line ~535)\n\nImpact: 32-bit sample-count accumulation wrap leads to undersized allocation, then decode writes with true sample volume, causing heap OOB write in `generic_unpack_deep_pointers` (`src/lib/OpenEXRCore/unpack.c:1374`) (DoS/Crash, memory corruption/RCE).\n\nAttack scenario:\n- Attacker provides multipart deep EXR with many parts and very large sample counts per pixel.\n- Uses compression (RLE/ZIPS) to keep file size relatively small vs decode pressure.\n- The overflow happens in composite sample accounting (`unsigned int`), while pointer progression for decode uses larger counters and reaches out-of-bounds.\n\nTested on: `OpenEXR 4.0.0-dev` (commit 83449669402080874b25ff1fa740649a9e6ea064) but this code has existed since v2.3.0","references":[{"reference_url":"https://github.com/AcademySoftwareFoundation/openexr","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/AcademySoftwareFoundation/openexr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27622","reference_id":"CVE-2026-27622","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27622"},{"reference_url":"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963","reference_id":"GHSA-cr4v-6jm6-4963","reference_type":"","scores":[],"url":"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"},{"reference_url":"https://github.com/advisories/GHSA-cr4v-6jm6-4963","reference_id":"GHSA-cr4v-6jm6-4963","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cr4v-6jm6-4963"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74398?format=json","purl":"pkg:pypi/openexr@3.2.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/openexr@3.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/74399?format=json","purl":"pkg:pypi/openexr@3.3.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/openexr@3.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/74400?format=json","purl":"pkg:pypi/openexr@3.4.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/openexr@3.4.6"}],"aliases":["CVE-2026-27622","GHSA-cr4v-6jm6-4963"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qn33-asyh-y3hw"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/openexr@3.4.6"}