Skip to main content

OpenEXR CVE-2026-42216

| EUVDEUVD-2026-28298 HIGH
Out-of-bounds Read (CWE-125)
2026-05-07 GitHub_M
8.8
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 07, 2026 - 06:16 EUVD
Analysis Generated
May 07, 2026 - 04:46 vuln.today
CVSS changed
May 07, 2026 - 04:35 NVD
8.8 (HIGH)
CVE Published
May 07, 2026 - 04:01 nvd
HIGH 8.8

DescriptionCVE.org

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

AnalysisAI

Out-of-bounds read in OpenEXR 3.0.0-3.4.10 allows remote attackers to trigger information disclosure and denial of service by sending malformed EXR image files containing manipulated prefix-compressed strings in IDManifest structures. The vulnerability bypasses bounds checking when reconstructing strings longer than 255 bytes, reading memory outside allocated buffers. EPSS data not available; no public exploit confirmed at time of analysis. Patches released in versions 3.2.9, 3.3.11, and 3.4.11.

Technical ContextAI

OpenEXR is the Academy Software Foundation's reference implementation of the EXR high-dynamic-range image format, widely used in visual effects and animation pipelines. The vulnerability resides in IDManifest::init(), which deserializes prefix-compressed string representations from EXR file metadata. When a string exceeds 255 bytes, the compression scheme stores a 2-byte prefix length in positions [0] and [1] of the subsequent string. The code unconditionally reads stringList[i][0] and stringList[i][1] without validating that stringList[i] contains at least two elements, causing an out-of-bounds read (CWE-125: Out-of-bounds Read). This classic buffer over-read can leak adjacent heap memory contents and crash the parsing process. Affected versions span three release branches: 3.0.0-3.2.8, 3.3.0-3.3.10, and 3.4.0-3.4.10, indicating the flaw persisted across multiple major refactorings.

RemediationAI

Upgrade OpenEXR to patched versions: 3.2.9 or later for the 3.2.x branch, 3.3.11 or later for 3.3.x, or 3.4.11 or later for 3.4.x, as documented in https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4. For systems unable to upgrade immediately, implement input validation by restricting EXR file sources to trusted origins only-this reduces attack surface but does not eliminate risk from supply chain compromise or insider threats. Consider sandboxing EXR parsing processes using containerization or operating system-level isolation (seccomp-bpf on Linux, App Sandbox on macOS) to limit information disclosure impact, though this adds operational complexity and may degrade performance for high-throughput rendering pipelines. If the application does not require IDManifest metadata parsing, investigate whether OpenEXR can be built with reduced feature sets, though upstream support for this configuration is not confirmed.

CVE-2018-18444 HIGH POC
8.8 Oct 17

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possib

CVE-2026-27622 HIGH POC
8.4 Mar 03

Out-of-bounds heap write in OpenEXR's CompositeDeepScanLine::readPixels lets a crafted multi-part deep-scanline EXR file

CVE-2017-12596 HIGH POC
7.8 Aug 07

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp du

CVE-2026-26981 MEDIUM POC
6.5 Feb 24

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper in

CVE-2021-3598 MEDIUM POC
5.5 Jul 06

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. Rated medium severity (CV

CVE-2020-16589 MEDIUM POC
5.5 Dec 09

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.

CVE-2020-16588 MEDIUM POC
5.5 Dec 09

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp

CVE-2020-16587 MEDIUM POC
5.5 Dec 09

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruct

CVE-2020-11765 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11764 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11763 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11762 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-42216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy