{"vulnerability": "CVE-2026-4024", "sightings": [{"uuid": "70a06a8a-1315-4400-9b66-72099ee91d85", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40245", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mjml3fkfus2s", "content": "", "creation_timestamp": "2026-04-16T14:01:56.441683Z"}, {"uuid": "970935fb-2ffb-446a-a8f2-6aac353c22da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2026-40245", "type": "seen", "source": "Telegram/5D912vOHN-G66auq1Hho6ww_p26h6YJ5ZFpozWyyt1z6weM", "content": "", "creation_timestamp": "2026-04-16T15:19:53.000000Z"}, {"uuid": "5f9efdb5-b550-4c7d-8c7f-bb3daf78c86e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2026-40246", "type": "published-proof-of-concept", "source": "Telegram/x6U1CUbtpfWdw00zGhzow4OOkK7AiEHUVbiM6o3SMYH6zs0", "content": "", "creation_timestamp": "2026-04-16T23:18:23.000000Z"}, {"uuid": "b6ab98c5-aefd-4059-bef1-e6b92aaeb5e8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2026-40242", "type": "published-proof-of-concept", "source": "Telegram/azLV8BVN7oG3TROgln-jCTMw5r1pt6lKfNlckhfBfrofK-k", "content": "", "creation_timestamp": "2026-04-10T23:27:06.000000Z"}, {"uuid": "2bc05111-c338-4325-a203-39eec34e1753", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2026-40244", "type": "seen", "source": "Telegram/y8A40ypWR-zTQL04UvuWU-fhawBkUz4Q7ssav8OQJXhA_oc", "content": "", "creation_timestamp": "2026-04-21T03:18:08.000000Z"}, {"uuid": "2e3711dc-5a6f-4625-9a23-41ae0244d6c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-4024", "type": "seen", "source": "https://bsky.app/profile/atomicedge.bsky.social/post/3ml7kd4zsiu2u", "content": "", "creation_timestamp": "2026-05-06T20:33:06.476212Z"}, {"uuid": "cc8cb9b0-d43b-4630-9ad6-9dd1d3bb227e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40242", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mj6ev3mnrn2o", "content": "", "creation_timestamp": "2026-04-10T22:32:43.528507Z"}, {"uuid": "5804e950-e2ff-446e-9634-267cdad0278e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40244", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjxvwqbq272k", "content": "", "creation_timestamp": "2026-04-21T02:14:26.713028Z"}, {"uuid": "c032a03d-54b6-47fd-8c2d-47fb92ba8e77", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40245", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjlemrzh2u2t", "content": "", "creation_timestamp": "2026-04-16T02:32:42.156957Z"}, {"uuid": "0dc679fd-a37b-4b26-ac92-51a036a41010", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40242", "type": "confirmed", "source": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-40242.yaml", "content": "", "creation_timestamp": "2026-04-17T03:03:48.000000Z"}, {"uuid": "376068d6-a19d-4004-a8e8-c86fbd3de636", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2026-40247", "type": "published-proof-of-concept", "source": "Telegram/uUtOgPMgnfpzQaGdgE5uvRP8Wc5_QVkmzi4lAg5HL6Ws0-I", "content": "", "creation_timestamp": "2026-04-16T23:18:29.000000Z"}, {"uuid": "6454fb9f-b07a-4914-a647-e660ca1762d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2026-40248", "type": "published-proof-of-concept", "source": "Telegram/uUtOgPMgnfpzQaGdgE5uvRP8Wc5_QVkmzi4lAg5HL6Ws0-I", "content": "", "creation_timestamp": "2026-04-16T23:18:29.000000Z"}, {"uuid": "c99d3c19-4c42-4a58-b5c4-92b7d41cea1e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2026-40246", "type": "published-proof-of-concept", "source": "Telegram/uUtOgPMgnfpzQaGdgE5uvRP8Wc5_QVkmzi4lAg5HL6Ws0-I", "content": "", "creation_timestamp": "2026-04-16T23:18:29.000000Z"}, {"uuid": "c75d0c0f-66f2-45c4-b2bc-56c97b3db2c4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40246", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjnnmymwy22q", "content": "", "creation_timestamp": "2026-04-17T00:19:11.862405Z"}, {"uuid": "0dfca653-2399-487f-892f-21b74e4bc8d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40247", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjnodwyfgp2p", "content": "", "creation_timestamp": "2026-04-17T00:32:01.846988Z"}, {"uuid": "66a29603-839e-4a07-b096-c78d8bd9072c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40248", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjnoukzgas2b", "content": "", "creation_timestamp": "2026-04-17T00:41:19.988393Z"}, {"uuid": "16a55337-9263-412b-866b-7cef35da03c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40249", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjnpghu7732f", "content": "", "creation_timestamp": "2026-04-17T00:51:20.509377Z"}, {"uuid": "0f7687bb-baaa-4af0-869d-8fd5a9c20672", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40242", "type": "seen", "source": "https://bsky.app/profile/beikokucyber.bsky.social/post/3mjpt4c54pr2p", "content": "", "creation_timestamp": "2026-04-17T21:02:36.840593Z"}, {"uuid": "ff6193f5-25ae-429e-a796-8c0d6067276c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2026-40244", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mjq547cnbt27", "content": "", "creation_timestamp": "2026-04-18T00:01:27.659243Z"}, {"uuid": "0a5006be-5ab5-40da-a8a0-d967473e837f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2026-40244", "type": "seen", "source": "https://t.me/poxek/6045", "content": "OpenEXR: integer overflow \u0432 DWA decoder \u0432\u0435\u0434\u0451\u0442 \u043a heap OOB write. CVE-2026-40244 + CVE-2026-40250\n\n\u041d\u0430\u0448\u043b\u0438 \u043d\u0430\u0448\u0435\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u043e\u0439. \u041e\u0431\u0435 CVE \u043f\u0440\u0438\u0441\u0432\u043e\u0435\u043d\u044b, \u0444\u0438\u043a\u0441\u044b \u0441\u043c\u0435\u0440\u0436\u0435\u043d\u044b upstream.\n\n\u041f\u0440\u043e\u0435\u043a\u0442. OpenEXR \u2014 \u044d\u0442\u0430\u043b\u043e\u043d\u043d\u044b\u0439 HDR-\u0444\u043e\u0440\u043c\u0430\u0442 Academy Software Foundation. \u0421\u0440\u0435\u0434\u0438 \u0441\u043f\u043e\u043d\u0441\u043e\u0440\u043e\u0432 ASWF \u2014 Netflix, Warner Bros, Walt Disney Studios, Apple, Sony Pictures, Microsoft. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0432 VFX-\u043f\u0430\u0439\u043f\u043b\u0430\u0439\u043d\u0430\u0445, \u0440\u0435\u043d\u0434\u0435\u0440\u0435\u0440\u0430\u0445, Blender, Nuke, Houdini.\n\n\u041e\u0434\u043d\u0430 \u043a\u043e\u0440\u043d\u0435\u0432\u0430\u044f \u043f\u0440\u0438\u0447\u0438\u043d\u0430 \u2014 \u0434\u0432\u0435 \u043b\u043e\u043a\u0430\u0446\u0438\u0438.\n\nInteger overflow \u043f\u0440\u0438 \u0443\u043c\u043d\u043e\u0436\u0435\u043d\u0438\u0438 int32_t \u00d7 int32_t \u0431\u0435\u0437 \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u043a size_t \u0432 pointer-\u0430\u0440\u0438\u0444\u043c\u0435\u0442\u0438\u043a\u0435 DWA decoder. \u041e\u0431\u0430 \u2014 missed variants CVE-2026-34589: \u043a\u043e\u0433\u0434\u0430 \u043c\u0435\u0439\u043d\u0442\u0435\u0439\u043d\u0435\u0440 \u0444\u0438\u043a\u0441\u0438\u043b \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 CVE \u043f\u043e \u0442\u043e\u043c\u0443 \u0436\u0435 \u043a\u043b\u0430\u0441\u0441\u0443, \u0434\u0432\u0430 \u043c\u0435\u0441\u0442\u0430 \u0432 \u0444\u0438\u043a\u0441\u0435 \u043f\u0440\u043e\u043f\u0443\u0441\u0442\u0438\u043b\u0438.\n\nCVE-2026-40250 \u2014 DwaCompressor_uncompress():\n\noutBufferEnd += chan-&gt;width * chan-&gt;bytes_per_element;\n\n\u041f\u0440\u0438 width &gt; 536M \u043f\u0440\u043e\u0438\u0437\u0432\u0435\u0434\u0435\u043d\u0438\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u044f\u0435\u0442 int32_t, \u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044c \u0443\u0435\u0437\u0436\u0430\u0435\u0442 \u043d\u0430\u0437\u0430\u0434, row-\u0431\u0443\u0444\u0435\u0440\u044b \u043f\u0435\u0440\u0435\u043a\u0440\u044b\u0432\u0430\u044e\u0442\u0441\u044f, LossyDctDecoder_execute \u043f\u0438\u0448\u0435\u0442 \u0432 heap.\n\nCVE-2026-40244 \u2014 setupChannelData(), RLE-\u043f\u0443\u0442\u044c:\n\n+ curc-&gt;width * curc-&gt;height\n\n\u041f\u0440\u0438 width \u00d7 height &gt; INT32_MAX \u2014 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435, \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e\u0435 \u0441\u043c\u0435\u0449\u0435\u043d\u0438\u0435, OOB write \u043d\u0430 \u0440\u0430\u0441\u043a\u043b\u0430\u0434\u043a\u0435 RLE.\n\n\u0424\u0438\u043a\u0441 \u0432 \u043e\u0431\u043e\u0438\u0445 \u2014 (size_t) cast \u043f\u0435\u0440\u0435\u0434 \u0443\u043c\u043d\u043e\u0436\u0435\u043d\u0438\u0435\u043c. \u0422\u043e\u0442 \u0436\u0435 \u043f\u0430\u0442\u0442\u0435\u0440\u043d \u0432 \u0442\u043e\u043c \u0436\u0435 \u0444\u0430\u0439\u043b\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e \u043d\u0430 \u0441\u0442\u0440\u043e\u043a\u0430\u0445 1215 \u0438 1699. \u0414\u0432\u0430 \u043c\u0435\u0441\u0442\u0430 \u0437\u0430\u0431\u044b\u043b\u0438.\n\n\u041f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b. CVSS 8.4 (High), CWE-190. Impact \u2014 heap OOB write, \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0435 RCE.\n\n\u0417\u0430\u0442\u0440\u043e\u043d\u0443\u0442\u044b 3.2.0\u20133.2.7, 3.3.0\u20133.3.9, 3.4.0\u20133.4.9. \u041f\u0430\u0442\u0447\u0438 \u2014 3.2.8, 3.3.10, 3.4.10.\n\n\u0412\u0435\u043a\u0442\u043e\u0440. \u041b\u044e\u0431\u043e\u0439 \u0441\u0435\u0440\u0432\u0438\u0441, \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u044e\u0449\u0438\u0439 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0439 EXR: \u0440\u0435\u043d\u0434\u0435\u0440\u0435\u0440\u044b, viewer'\u044b, DCC-\u043f\u0430\u0439\u043f\u043b\u0430\u0439\u043d\u044b, \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0445 \u0430\u0441\u0441\u0435\u0442\u043e\u0432, web-\u043f\u0440\u0435\u0432\u044c\u044e HDR.\n\n\u0412\u044b\u0432\u043e\u0434\n\n\u0414\u0430\u0436\u0435 \u0432 \u043f\u0440\u043e\u0435\u043a\u0442\u0435 \u0443\u0440\u043e\u0432\u043d\u044f ASWF, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u044e\u0442 \u0441\u0442\u0443\u0434\u0438\u0438 \u0441 \u0431\u044e\u0434\u0436\u0435\u0442\u0430\u043c\u0438 \u043d\u0430 \u0418\u0411 \u0432 \u0441\u043e\u0442\u043d\u0438 \u043c\u0438\u043b\u043b\u0438\u043e\u043d\u043e\u0432, \u0436\u0438\u0432\u0443\u0442 \u0442\u0438\u043f\u043e\u0432\u044b\u0435 integer overflow'\u044b \u2014 \u0438 \u043d\u0435 \u043f\u043e \u043e\u0434\u043d\u043e\u043c\u0443, \u0430 \u043a\u043b\u0430\u0441\u0442\u0435\u0440\u0430\u043c\u0438. \u041f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u043d\u0435 \u0433\u0430\u0440\u0430\u043d\u0442\u0438\u0440\u0443\u0435\u0442 \u0435\u0451 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c. \u041b\u044e\u0431\u0443\u044e \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u044c, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u0430\u0440\u0441\u0438\u0442 \u0432\u043d\u0435\u0448\u043d\u0438\u0435 \u0434\u0430\u043d\u043d\u044b\u0435, \u043d\u0443\u0436\u043d\u043e \u0437\u0430\u043a\u043b\u0430\u0434\u044b\u0432\u0430\u0442\u044c \u0432 \u043c\u043e\u0434\u0435\u043b\u044c \u0443\u0433\u0440\u043e\u0437: \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u044f \u0432\u0445\u043e\u0434\u0430 \u0434\u043e \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0438 \u0432 SDK, \u043f\u0435\u0441\u043e\u0447\u043d\u0438\u0446\u0430 \u0434\u043b\u044f \u043f\u0430\u0440\u0441\u0435\u0440\u043e\u0432 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u043e\u0433\u043e \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430, \u0430\u0443\u0434\u0438\u0442 int \u00d7 int \u0432 pointer-\u0432\u044b\u0447\u0438\u0441\u043b\u0435\u043d\u0438\u044f\u0445 \u043d\u0430 \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u044b\u0445 \u043f\u0443\u0442\u044f\u0445.", "creation_timestamp": "2026-04-22T15:06:02.000000Z"}]}