An update for OpenEXR is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2179 Final 1.0 1.0 2026-05-03 Initial 2026-05-03 2026-05-03 openEuler SA Tool V1.0 2026-05-03 OpenEXR security update An update for OpenEXR is now available for openEuler-24.03-LTS-SP1 OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications. Security Fix(es): OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`.(CVE-2026-40244) OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`.(CVE-2026-40250) An update for OpenEXR is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High OpenEXR https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2179 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40244 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40250 https://nvd.nist.gov/vuln/detail/CVE-2026-40244 https://nvd.nist.gov/vuln/detail/CVE-2026-40250 openEuler-24.03-LTS-SP1 OpenEXR-3.1.11-8.oe2403sp1.src.rpm OpenEXR-3.1.11-8.oe2403sp1.x86_64.rpm OpenEXR-debuginfo-3.1.11-8.oe2403sp1.x86_64.rpm OpenEXR-debugsource-3.1.11-8.oe2403sp1.x86_64.rpm OpenEXR-devel-3.1.11-8.oe2403sp1.x86_64.rpm OpenEXR-libs-3.1.11-8.oe2403sp1.x86_64.rpm OpenEXR-3.1.11-8.oe2403sp1.aarch64.rpm OpenEXR-debuginfo-3.1.11-8.oe2403sp1.aarch64.rpm OpenEXR-debugsource-3.1.11-8.oe2403sp1.aarch64.rpm OpenEXR-devel-3.1.11-8.oe2403sp1.aarch64.rpm OpenEXR-libs-3.1.11-8.oe2403sp1.aarch64.rpm OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width * curc->height` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other locations by the recent CVE-2026-34589 batch, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1722`. 2026-05-03 CVE-2026-40244 openEuler-24.03-LTS-SP1 High 7.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H OpenEXR security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2179 OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width * chan->bytes_per_element` in `int32` arithmetic without a `(size_t)` cast. This is the same overflow pattern fixed in other decoders by CVE-2026-34589/34588/34544, but this line was missed. Versions 3.4.10, 3.3.10, and 3.2.8 contain a fix that addresses `internal_dwa_compressor.h:1040`. 2026-05-03 CVE-2026-40250 openEuler-24.03-LTS-SP1 High 7.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H OpenEXR security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2179