Integer Decoding Vulnerability in OpenEXR Image Format Software from Academy Software Foundation
CVE-2026-42217

6.3MEDIUM

Key Information:

Vendor

Academysoftwarefoundation

Status
Openexr
Vendor
CVE Published:
7 May 2026

What is CVE-2026-42217?

A vulnerability in the OpenEXR implementation allows for unsafe decoding of variable-length integers from untrusted EXR input. The affected readVariableLengthInteger() function fails to bound the shift count, potentially leading to undefined behavior when large continuation bytes are processed. This issue has been addressed in the latest software versions, where proper input validation and handling have been implemented to safeguard against this flaw.

Affected Version(s)

openexr >= 3.0.0, < 3.2.9 < 3.0.0, 3.2.9

openexr >= 3.3.0, < 3.3.11 < 3.3.0, 3.3.11

openexr >= 3.4.0, < 3.4.11 < 3.4.0, 3.4.11

References

https://github.com/AcademySoftwareFoundation/openexr/secu...
x_refsource_CONFIRM
https://github.com/AcademySoftwareFoundation/openexr/pull...
x_refsource_MISC
https://github.com/AcademySoftwareFoundation/openexr/comm...
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.