CVE-2021-26260

Name
CVE-2021-26260
Description
An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K/
MISC https://bugzilla.redhat.com/show_bug.cgi?id=1947582
MLIST https://lists.debian.org/debian-lts-announce/2021/07/msg00001.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:* openexr >= None < 3.0.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openexr 3.13-community 2.5.4-r0 Mark Riedesel <mark+alpine@klowner.com> possibly vulnerable
openexr 3.14-community 2.5.5-r3 Mark Riedesel <mark+alpine@klowner.com> possibly vulnerable