CVE-2026-42216
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
In OpenEXR versions 3.0.0 to 3.2.9, 3.3.0 to 3.3.11, and 3.4.0 to 3.4.11, a vulnerability exists in the IDManifest::init() function. When reconstructing strings from a prefix-compressed representation, the code reads bytes without verifying that the current string has at least two bytes, potentially causing an out-of-bounds read.
Risk Assessment
This vulnerability could allow an attacker to read data beyond the allocated buffer, potentially leading to disclosure of sensitive information or system instability.
Recommendation
Immediately update OpenEXR to version 3.2.9, 3.3.11, or 3.4.11, depending on the branch in use.
Original NVD description (English source)
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

