Buffer Overflow Vulnerability in OpenEXR by Academy Software Foundation
CVE-2026-42216

8.8HIGH

Key Information:

Vendor: Academysoftwarefoundation
Status: Openexr
Vendor: CVE Published:; 7 May 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-42216?

The OpenEXR library, used for high dynamic range image storage in the motion picture industry, contains a buffer overflow issue in its IDManifest::init() function. This vulnerability arises when the library reconstructs strings from a prefix-compressed representation without properly validating the size of input strings. Specifically, if a string exceeds 255 bytes, the library fails to confirm the presence of two necessary bytes before accessing them through index positions, potentially leading to memory corruption and allowing an attacker to execute arbitrary code. Users are strongly advised to update to versions 3.2.9, 3.3.11, or 3.4.11 to mitigate this risk.

Affected Version(s)

openexr >= 3.0.0, < 3.2.9 < 3.0.0, 3.2.9

openexr >= 3.3.0, < 3.3.11 < 3.3.0, 3.3.11

openexr >= 3.4.0, < 3.4.11 < 3.4.0, 3.4.11

References

https://github.com/AcademySoftwareFoundation/openexr/secu...

x_refsource_CONFIRM

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42216 Data

JSON