Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.
Published: 2026-05-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an out‑of‑bounds read inside OpenEXR’s IDManifest::init() routine during prefix expansion. The code assumes a two‑byte prefix when the preceding string exceeds 255 bytes, but it does not verify the length of the current string before accessing the first two bytes. This can allow a crafted EXR file to cause the library to read beyond the valid buffer, potentially exposing data from adjacent memory or causing a crash. The vulnerability is limited to read operations, but it can lead to information leakage or denial of service.

Affected Systems

Academy Software Foundation’s OpenEXR library version 3.0.0 through 3.2.8, 3.3.0 through 3.3.10, and 3.4.0 through 3.4.10 are affected. The patches were fixed in OpenEXR 3.2.9, 3.3.11, and 3.4.11, respectively.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity, yet it is only exploitable when an application parses a maliciously crafted EXR file. Because the vulnerability is local to the input data, the attack vector is primarily limited to environments where the victim opens an untrusted file. No exploit evidence has been published and the EPSS score is unavailable, suggesting low to moderate exploitation probability. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 7, 2026 at 05:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenEXR library to version 3.2.9, 3.3.11, 3.4.11, or a later release that contains the patch.
  • Update any applications or frameworks that embed OpenEXR so that the latest library is used throughout the deployment stack.
  • If an immediate upgrade is infeasible, isolate the synthesis or rendering process that handles EXR files in a sandboxed environment or otherwise restrict processing of untrusted inputs until the library can be updated.

Generated by OpenCVE AI on May 7, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.
Title OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:13:20.747Z

Reserved: 2026-04-25T05:04:37.028Z

Link: CVE-2026-42216

cve-icon Vulnrichment

Updated: 2026-05-07T14:13:15.479Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T04:16:34.220

Modified: 2026-05-08T16:56:50.613

Link: CVE-2026-42216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:00:11Z

Weaknesses