Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` function in `ImfContextInit.cpp` when parsing a malformed EXR file through a memory-mapped `IStream`. A signed integer subtraction produces a negative value that is implicitly converted to `size_t`, resulting in a massive length being passed to `memcpy`. Versions 3.3.7 and 3.4.5 contain a patch.
Published: 2026-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a heap buffer overflow that occurs during parsing of malformed EXR files when the OpenEXR library uses a memory‑mapped IStream. A signed integer subtraction yields a negative result that is implicitly cast to an unsigned `size_t`, causing the `memcpy` call to read an excessively large amount of data and expose memory contents beyond the intended buffer. This out‑of‑bounds read can leak sensitive information and, if combined with other weaknesses, may lead to denial of service or more severe exploitation. The CVSS score of 6.5 indicates a moderate impact on confidentiality and potentially disrupts service.

Affected Systems

The flaw affects the open source OpenEXR library maintained by the AcademySoftwareFoundation. Vulnerable releases include versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4. These versions can be found in the official distribution under the package name openexr. Subsequent releases, 3.3.7 and 3.4.5 and later, contain the patch.

Risk and Exploitability

The CVSS base score of 6.5 represents moderate severity, and the EPSS probability of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating no known public exploits. Based on the description, the most likely attack scenario is local exploitation by providing a crafted EXR file to an application that uses the library through a memory‑mapped IStream. If such an application accepts network‑supplied files, a remote attacker could potentially trigger the overflow, leading to information disclosure, denial of service, or a broader compromise if additional flaws exist. No additional context is given about the need for elevation or privileged execution, so the impact is confined to the execution context of the affected program.

Generated by OpenCVE AI on April 17, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenEXR 3.3.7 or 3.4.5 or later to apply the official patch
  • If an upgrade cannot be performed immediately, avoid using memory‑mapped IStream when parsing EXR files from untrusted sources or validate the file size before passing it to the library
  • Run the image processing code in a sandboxed or restricted environment to limit the damage if an out‑of‑bounds read occurs

Generated by OpenCVE AI on April 17, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6vj-wxvf-5m8c OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp
History

Thu, 26 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` function in `ImfContextInit.cpp` when parsing a malformed EXR file through a memory-mapped `IStream`. A signed integer subtraction produces a negative value that is implicitly converted to `size_t`, resulting in a massive length being passed to `memcpy`. Versions 3.3.7 and 3.4.5 contain a patch.
Title OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp
Weaknesses CWE-195
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T20:03:54.667Z

Reserved: 2026-02-17T01:41:24.605Z

Link: CVE-2026-26981

cve-icon Vulnrichment

Updated: 2026-02-24T20:03:49.168Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:01.890

Modified: 2026-02-25T17:30:34.797

Link: CVE-2026-26981

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T02:26:16Z

Links: CVE-2026-26981 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses