Home

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` function in `ImfContextInit.cpp` when parsing a malformed EXR file through a memory-mapped `IStream`. A signed integer subtraction produces a negative value that is implicitly converted to `size_t`, resulting in a massive length being passed to `memcpy`. Versions 3.3.7 and 3.4.5 contain a patch.

PUBLISHED Reserved 2026-02-17 | Published 2026-02-24 | Updated 2026-02-24 | Assigner GitHub_M




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Problem types

CWE-195: Signed to Unsigned Conversion Error

Product status

>= 3.3.0, < 3.3.7
affected

>= 3.4.0, < 3.4.5
affected

References

github.com/...penexr/security/advisories/GHSA-q6vj-wxvf-5m8c

github.com/...ommit/6bb2ddf1068573d073edf81270a015b38cc05cef

github.com/...ommit/d2be382758adc3e9ab83a3de35138ec28d93ebd8

cve.org (CVE-2026-26981)

nvd.nist.gov (CVE-2026-26981)

Download JSON