{"id":"USN-8259-1","summary":"openexr vulnerabilities","details":"Quang Luong discovered that OpenEXR incorrectly handled sample count\naccumulation when processing deep scan line image files. An attacker could\npossibly use this issue to cause OpenEXR to crash, resulting in a denial of\nservice, or execute arbitrary code. (CVE-2026-27622)\n\nIt was discovered that OpenEXR had an integer overflow in the PXR24\ndecoder. An attacker could possibly use this issue to cause OpenEXR to\ncrash, resulting in a denial of service, or execute arbitrary code.\nThis issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS.\n(CVE-2026-34380)\n\nQuang Luong discovered that OpenEXR had a signed integer overflow in the\nPIZ decoder. An attacker could possibly use this issue to cause OpenEXR to\ncrash, resulting in a denial of service, or execute arbitrary code. This\nissue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-34588)","modified":"2026-05-20T16:06:19.608568652Z","published":"2026-05-07T15:37:21Z","related":["UBUNTU-CVE-2026-27622","UBUNTU-CVE-2026-34380","UBUNTU-CVE-2026-34588"],"upstream":["UBUNTU-CVE-2026-27622","UBUNTU-CVE-2026-34380","UBUNTU-CVE-2026-34588"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8259-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-27622"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-34380"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-34588"}],"affected":[{"package":{"name":"openexr","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/openexr?arch=source&distro=esm-apps%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.0-10ubuntu2.6+esm4"}]}],"versions":["2.2.0-1ubuntu3","2.2.0-7ubuntu1","2.2.0-9ubuntu1","2.2.0-10ubuntu2","2.2.0-10ubuntu2.1","2.2.0-10ubuntu2.2","2.2.0-10ubuntu2.3","2.2.0-10ubuntu2.4","2.2.0-10ubuntu2.6","2.2.0-10ubuntu2.6+esm1","2.2.0-10ubuntu2.6+esm2","2.2.0-10ubuntu2.6+esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"2.2.0-10ubuntu2.6+esm4","binary_name":"libopenexr22"},{"binary_version":"2.2.0-10ubuntu2.6+esm4","binary_name":"openexr"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8259-1.json"}},{"package":{"name":"openexr","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/openexr?arch=source&distro=esm-infra%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.0-11.1ubuntu1.9+esm1"}]}],"versions":["2.2.0-11ubuntu1","2.2.0-11.1ubuntu1","2.2.0-11.1ubuntu1.1","2.2.0-11.1ubuntu1.2","2.2.0-11.1ubuntu1.3","2.2.0-11.1ubuntu1.4","2.2.0-11.1ubuntu1.6","2.2.0-11.1ubuntu1.7","2.2.0-11.1ubuntu1.8","2.2.0-11.1ubuntu1.9"],"ecosystem_specific":{"binaries":[{"binary_version":"2.2.0-11.1ubuntu1.9+esm1","binary_name":"libopenexr22"},{"binary_version":"2.2.0-11.1ubuntu1.9+esm1","binary_name":"openexr"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:18.04:LTS","cves":[{"severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-27622"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8259-1.json"}},{"package":{"name":"openexr","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/openexr?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3.0-6ubuntu0.5+esm2"}]}],"versions":["2.2.1-4.1ubuntu1","2.3.0-6","2.3.0-6build1","2.3.0-6ubuntu0.1","2.3.0-6ubuntu0.2","2.3.0-6ubuntu0.3","2.3.0-6ubuntu0.5","2.3.0-6ubuntu0.5+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.3.0-6ubuntu0.5+esm2","binary_name":"libopenexr24"},{"binary_version":"2.3.0-6ubuntu0.5+esm2","binary_name":"openexr"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-27622"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8259-1.json"}},{"package":{"name":"openexr","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/openexr?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.5.7-1ubuntu0.1~esm2"}]}],"versions":["2.5.4-2","2.5.7-1","2.5.7-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.5.7-1ubuntu0.1~esm2","binary_name":"libopenexr25"},{"binary_version":"2.5.7-1ubuntu0.1~esm2","binary_name":"openexr"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:22.04:LTS","cves":[{"severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-27622"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8259-1.json"}},{"package":{"name":"openexr","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/openexr?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.5-5.1ubuntu0.1~esm1"}]}],"versions":["3.1.5-5.1","3.1.5-5.1build1","3.1.5-5.1build2","3.1.5-5.1build3"],"ecosystem_specific":{"binaries":[{"binary_version":"3.1.5-5.1ubuntu0.1~esm1","binary_name":"libopenexr-3-1-30"},{"binary_version":"3.1.5-5.1ubuntu0.1~esm1","binary_name":"openexr"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:24.04:LTS","cves":[{"severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-27622"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-34380"},{"severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-34588"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8259-1.json"}},{"package":{"name":"openexr","ecosystem":"Ubuntu:Pro:26.04:LTS","purl":"pkg:deb/ubuntu/openexr?arch=source&distro=esm-apps%2Fresolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.13-2ubuntu0.26.04.1~esm1"}]}],"versions":["3.1.13-2","3.1.13-2build1"],"ecosystem_specific":{"binaries":[{"binary_version":"3.1.13-2ubuntu0.26.04.1~esm1","binary_name":"libopenexr-3-1-30"},{"binary_version":"3.1.13-2ubuntu0.26.04.1~esm1","binary_name":"openexr"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:26.04:LTS","cves":[{"severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-27622"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-34380"},{"severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-34588"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8259-1.json"}}],"schema_version":"1.7.5"}