Multiple vulnerabilities in OpenEXR, including incorrect sample count handling in deep scan line files (CVE-2026-27622), an integer overflow in the PXR24 decoder (CVE-2026-34380), and a signed integer overflow in the PIZ decoder (CVE-2026-34588), could lead to denial of service or arbitrary code execution. The PXR24 and PIZ decoder issues specifically affect Ubuntu 24.04 LTS and Ubuntu 26.04 LTS.
Quang Luong discovered that OpenEXR incorrectly handled sample count accumulation when processing deep scan line image files. An attacker could possibly use this issue to cause OpenEXR to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-27622) It was discovered that OpenEXR had an integer overflow in the PXR24 decoder. An attacker could possibly use this issue to cause OpenEXR to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-34380) Quang Luong discovered that OpenEXR had a signed integer overflow in the PIZ decoder. An attacker could possibly use this issue to cause OpenEXR to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-34588)