CVE-2026-26981

Name
CVE-2026-26981
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` function in `ImfContextInit.cpp` when parsing a malformed EXR file through a memory-mapped `IStream`. A signed integer subtraction produces a negative value that is implicitly converted to `size_t`, resulting in a massive length being passed to `memcpy`. Versions 3.3.7 and 3.4.5 contain a patch.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/AcademySoftwareFoundation/openexr/commit/6bb2ddf1068573d073edf81270a015b38cc05cef
security-advisories@github.com https://github.com/AcademySoftwareFoundation/openexr/commit/d2be382758adc3e9ab83a3de35138ec28d93ebd8
security-advisories@github.com https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q6vj-wxvf-5m8c

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:* openexr >= 3.3.0 < 3.3.7
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:* openexr >= 3.4.0 < 3.4.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openexr edge-community 3.4.4-r0 Théo Zanchi <theo.zanchi@gmail.com> possibly vulnerable
openexr edge-community 3.4.2-r0 Théo Zanchi <theo.zanchi@gmail.com> possibly vulnerable
openexr edge-community 3.3.2-r0 Mark Riedesel <mark+alpine@klowner.com> possibly vulnerable
openexr 3.23-community 3.4.2-r0 Théo Zanchi <theo.zanchi@gmail.com> possibly vulnerable