Heap Buffer Overflow in OpenEXR Affects Image Processing Software by Academy Software Foundation
CVE-2026-26981

6.5MEDIUM

Key Information:

Vendor

Academysoftwarefoundation

Status
Openexr
Vendor
CVE Published:
24 February 2026

What is CVE-2026-26981?

The OpenEXR library, used for high dynamic range image storage in the motion picture industry, contains a vulnerability affecting versions 3.3.0 to 3.3.6 and 3.4.0 to 3.4.4. Specifically, a heap-buffer-overflow occurs in the 'istream_nonparallel_read' function within 'ImfContextInit.cpp'. This is triggered when parsing malformed EXR files via a memory-mapped IStream, leading to potential memory corruption. A negative result from a signed integer subtraction is incorrectly converted into a large size_t value, which can cause excessive data to be copied during memory operations. Versions 3.3.7 and 3.4.5 have implemented patches to mitigate this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openexr >= 3.3.0, < 3.3.7 < 3.3.0, 3.3.7

openexr >= 3.4.0, < 3.4.5 < 3.4.0, 3.4.5

References

https://github.com/AcademySoftwareFoundation/openexr/secu...
x_refsource_CONFIRM
https://github.com/AcademySoftwareFoundation/openexr/comm...
x_refsource_MISC
https://github.com/AcademySoftwareFoundation/openexr/comm...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.