Amazon Linux 2023 Security Advisory: ALAS2023-2026-1481
Advisory Released Date: 2026-03-25
Advisory Updated Date: 2026-03-25
Severity:
Important
Issue Overview:
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6. (CVE-2026-27622)
Affected Packages:
openexr
Issue Correction:
Run dnf update openexr --releasever 2023.10.20260316 or dnf update --advisory ALAS2023-2026-1481 --releasever 2023.10.20260316 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
openexr-libs-debuginfo-3.1.5-1.amzn2023.0.7.aarch64
openexr-debuginfo-3.1.5-1.amzn2023.0.7.aarch64
openexr-3.1.5-1.amzn2023.0.7.aarch64
openexr-libs-3.1.5-1.amzn2023.0.7.aarch64
openexr-devel-3.1.5-1.amzn2023.0.7.aarch64
openexr-debugsource-3.1.5-1.amzn2023.0.7.aarch64
src:
openexr-3.1.5-1.amzn2023.0.7.src
x86_64:
openexr-libs-debuginfo-3.1.5-1.amzn2023.0.7.x86_64
openexr-3.1.5-1.amzn2023.0.7.x86_64
openexr-debuginfo-3.1.5-1.amzn2023.0.7.x86_64
openexr-libs-3.1.5-1.amzn2023.0.7.x86_64
openexr-devel-3.1.5-1.amzn2023.0.7.x86_64
openexr-debugsource-3.1.5-1.amzn2023.0.7.x86_64