FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenEXR -- several integer overflow vulnerabilities

Affected packages
		openexr	<	3.4.10

Details

VuXML ID	7b83af27-3a86-11f1-90cd-41d47652b1c2
Discovery	2026-04-17
Entry	2026-04-19

Cary Phillips reports:

OpenEXR 3.4.10 is a patch release that addresses the following security vulnerabilities:

CVE-2026-39886 HTJ2K Signed Integer Overflow in ht_undo_impl()

CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)

CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

[source]

References

CVE Name	CVE-2026-39886
CVE Name	CVE-2026-40244
CVE Name	CVE-2026-40250
URL	https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.10