Heap-Buffer-Overflow Vulnerability in OpenEXR Reference Implementation by Academy Software Foundation
CVE-2026-45696

8.3HIGH

Key Information:

Vendor: Academysoftwarefoundation
Status: Openexr
Vendor: CVE Published:; 18 June 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-45696?

The OpenEXR reference implementation contains a vulnerability in the HTJ2K decoder, specifically in the ht_undo_impl() function, which could lead to a heap-buffer-overflow READ. This issue arises when the function processes decoded pixel data without proper validation of the declared width against the actual line buffer length, allowing crafted EXR files to trigger a 4-byte overflow. Such exploitation results in a deterministic crash (Denial of Service) and potential adjacent-heap memory leakage, affecting applications that open untrusted EXR files, including various thumbnailers and asset pipelines. The vulnerability has been addressed in version 3.4.12.

Affected Version(s)

openexr >= 3.4.0, < 3.4.11

References

https://github.com/AcademySoftwareFoundation/openexr/secu...

x_refsource_CONFIRM

https://github.com/AcademySoftwareFoundation/openexr/rele...

x_refsource_MISC

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-45696 Data

JSON