Skip to main content

OpenEXR CVE-2026-42217

| EUVDEUVD-2026-28300 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-07 GitHub_M
Medium
Disputed · 6.3 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
4.3 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 07, 2026 - 06:16 EUVD
Source Code Evidence Fetched
May 07, 2026 - 04:47 vuln.today
Analysis Generated
May 07, 2026 - 04:47 vuln.today
CVSS changed
May 07, 2026 - 04:35 NVD
6.3 (MEDIUM)
CVE Published
May 07, 2026 - 04:04 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable-length integer from untrusted EXR input without bounding the shift count. After enough continuation bytes, the code executes a left shift by 70 on a 64-bit value, which is undefined behavior. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

AnalysisAI

OpenEXR versions 3.0.0-3.2.8, 3.3.0-3.3.10, and 3.4.0-3.4.10 suffer from unbounded shift operations in the readVariableLengthInteger() function when parsing variable-length integers from untrusted EXR files. Attackers can craft malicious EXR files with excessive continuation bytes to trigger left shifts exceeding 64 bits on a 64-bit integer, causing undefined behavior that may lead to information disclosure or denial of service. The vulnerability is remotely exploitable without authentication or user interaction against any application processing untrusted EXR input; no public exploit code has been identified at the time of analysis.

Technical ContextAI

OpenEXR is a standardized image file format widely used in motion picture production and VFX workflows. The vulnerability resides in the readVariableLengthInteger() function in ImfIDManifest.cpp, which decodes variable-length encoded integers following a common compression pattern: each byte encodes 7 bits of data plus a continuation flag. The code iteratively reads bytes and accumulates their 7-bit values into a 64-bit integer via left-shift operations. CWE-190 (Integer Overflow) classifies this as a numeric operation vulnerability. The root cause is the absence of bounds checking on the shift count; after 10 or more continuation bytes, the shift amount can reach or exceed 64, violating C++ undefined behavior constraints. This can corrupt memory, cause crashes, or expose sensitive data depending on compiler optimization and runtime environment. The CPE affected:all::* pattern indicates all versions of the product between the stated ranges are vulnerable.

RemediationAI

Upgrade to patched versions immediately: OpenEXR 3.2.9 or later for the 3.2.x series, 3.3.11 or later for 3.3.x, or 3.4.11 or later for 3.4.x. The fix, merged in PR #2378 (commit 21eaa33bcbbb0c83a5fc42f6b6d65b70a996e63c), adds explicit bounds checking to reject variable-length integers with shift counts reaching or exceeding 64 bits, raising an InputExc exception on invalid input. For applications unable to upgrade immediately, implement input validation by sanitizing or rejecting EXR files from untrusted sources, or run EXR parsing in sandboxed processes with restricted privilege and memory isolation to contain the impact of undefined behavior. If upgrading OpenEXR as a library dependency, audit all dependent applications and rebuild them with the patched version; do not assume transitive dependency managers will resolve this automatically. The fix has negligible performance impact (one additional bounds check per variable-length integer) and no breaking API changes.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-42217 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy