VYPR
Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 24, 2026

OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp

CVE-2026-26981

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the istream_nonparallel_read function in ImfContextInit.cpp when parsing a malformed EXR file through a memory-mapped IStream. A signed integer subtraction produces a negative value that is implicitly converted to size_t, resulting in a massive length being passed to memcpy. Versions 3.3.7 and 3.4.5 contain a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
OpenEXRPyPI
>= 3.3.0, < 3.3.73.3.7
OpenEXRPyPI
>= 3.4.0, < 3.4.53.4.5

Affected products

19

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.