OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the istream_nonparallel_read function in ImfContextInit.cpp when parsing a malformed EXR file through a memory-mapped IStream. A signed integer subtraction produces a negative value that is implicitly converted to size_t, resulting in a massive length being passed to memcpy. Versions 3.3.7 and 3.4.5 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap-buffer-overflow in OpenEXR's memory-mapped IStream parsing due to signed integer underflow, potentially leading to remote code execution or denial of service.
Root
Cause A heap-buffer-overflow (OOB read) exists in the istream_nonparallel_read function in ImfContextInit.cpp of OpenEXR versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4 [1]. The bug stems from a signed integer subtraction that produces a negative value, which is then implicitly converted to size_t (unsigned), resulting in a very large length passed to memcpy [2].
Exploitation
An attacker can trigger this vulnerability by providing a crafted EXR file that exploits the incorrect size calculation during memory-mapped IStream parsing [2]. No authentication or special privileges are required; the victim only needs to open the malicious file using an affected OpenEXR version [1].
Impact
Successful exploitation can lead to an out-of-bounds read, potentially causing information disclosure or memory corruption that may facilitate remote code execution or denial of service [1][2].
Mitigation
The issue has been patched in OpenEXR versions 3.3.7 and 3.4.5 [4]. Users are strongly advised to update to these versions or later. The OpenEXR project prioritizes robustness and security, as outlined in its mission [3].
- NVD - CVE-2026-26981
- Heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp
- GitHub - AcademySoftwareFoundation/openexr: The OpenEXR project provides the specification and reference implementation of the EXR file format, the professional-grade image storage format of the motion picture industry.
- Fix incorrect size check in istream_nonparallel_read (#2244) · AcademySoftwareFoundation/openexr@d2be382
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenEXRPyPI | >= 3.3.0, < 3.3.7 | 3.3.7 |
OpenEXRPyPI | >= 3.4.0, < 3.4.5 | 3.4.5 |
Affected products
2- AcademySoftwareFoundation/openexrv5Range: >= 3.3.0, < 3.3.7
Patches
2d2be382758adFix incorrect size check in istream_nonparallel_read (#2244)
1 file changed · +2 −4
src/lib/OpenEXR/ImfContextInit.cpp+2 −4 modified@@ -119,11 +119,9 @@ istream_nonparallel_read ( } int64_t stream_sz = s->size (); - int64_t nend = nread + (int64_t)sz; + int64_t nend = nread + static_cast<int64_t>(sz); if (stream_sz > 0 && nend > stream_sz) - { - sz = stream_sz - nend; - } + sz = static_cast<uint64_t>(stream_sz - nread); try {
6bb2ddf10685Fix incorrect size check in istream_nonparallel_read (#2244)
1 file changed · +2 −4
src/lib/OpenEXR/ImfContextInit.cpp+2 −4 modified@@ -119,11 +119,9 @@ istream_nonparallel_read ( } int64_t stream_sz = s->size (); - int64_t nend = nread + (int64_t)sz; + int64_t nend = nread + static_cast<int64_t>(sz); if (stream_sz > 0 && nend > stream_sz) - { - sz = stream_sz - nend; - } + sz = static_cast<uint64_t>(stream_sz - nread); try {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q6vj-wxvf-5m8cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26981ghsaADVISORY
- github.com/AcademySoftwareFoundation/openexr/commit/6bb2ddf1068573d073edf81270a015b38cc05cefghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/openexr/commit/d2be382758adc3e9ab83a3de35138ec28d93ebd8ghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q6vj-wxvf-5m8cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.