CVE-2026-42216 - Vulnerability Details

- OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

Published: 2026-05-07

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is an out‑of‑bounds read inside OpenEXR’s IDManifest::init() routine during prefix expansion. The code assumes a two‑byte prefix when the preceding string exceeds 255 bytes, but it does not verify the length of the current string before accessing the first two bytes. This can allow a crafted EXR file to cause the library to read beyond the valid buffer, potentially exposing data from adjacent memory or causing a crash. The vulnerability is limited to read operations, but it can lead to information leakage or denial of service.

Affected Systems

Academy Software Foundation’s OpenEXR library version 3.0.0 through 3.2.8, 3.3.0 through 3.3.10, and 3.4.0 through 3.4.10 are affected. The patches were fixed in OpenEXR 3.2.9, 3.3.11, and 3.4.11, respectively.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity, yet it is only exploitable when an application parses a maliciously crafted EXR file. Because the vulnerability is local to the input data, the attack vector is primarily limited to environments where the victim opens an untrusted file. No exploit evidence has been published and the EPSS score is unavailable, suggesting low to moderate exploitation probability. The vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AcademySoftwareFoundation

openexr

affected

Version	Status	Constraints
`>= 3.0.0, < 3.2.9`	affected	—
`>= 3.3.0, < 3.3.11`	affected	—
`>= 3.4.0, < 3.4.11`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the OpenEXR library to version 3.2.9, 3.3.11, 3.4.11, or a later release that contains the patch.
Update any applications or frameworks that embed OpenEXR so that the latest library is used throughout the deployment stack.
If an immediate upgrade is infeasible, isolate the synthesis or rendering process that handles EXR files in a sandboxed environment or otherwise restrict processing of untrusted inputs until the library can be updated.

Generated by OpenCVE AI on May 7, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4

History

Thu, 07 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.
Title		OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion
Weaknesses		CWE-125
References		https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4
Metrics		cvssV4_0 `{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T04:01:59.602Z

Updated: 2026-05-07T14:13:20.747Z

Reserved: 2026-04-25T05:04:37.028Z

Link: CVE-2026-42216

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-07T04:16:34.220

Modified: 2026-05-07T04:16:34.220

Link: CVE-2026-42216

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T05:45:06Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object