PyPI package
openexr
pkg:pypi/openexr
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34589 | Med | 5.0 | >= 3.2.0, < 3.2.7 | 3.2.7 | Apr 6, 2026 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-b | |
| CVE-2026-34588 | Hig | 7.8 | >= 3.1.0, < 3.2.7 | 3.2.7 | Apr 6, 2026 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmeti | |
| CVE-2026-34544 | Hig | 7.3 | >= 3.4.0, < 3.4.8 | 3.4.8 | Apr 1, 2026 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that dec | |
| CVE-2026-34543 | Hig | 7.5 | >= 3.4.0, < 3.4.8 | 3.4.8 | Apr 1, 2026 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (inform | |
| CVE-2026-27622 | — | >= 2.3.0, < 3.2.6 | 3.2.6 | Mar 3, 2026 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector total_sizes for attacker-controlled larg | ||
| CVE-2026-26981 | — | >= 3.3.0, < 3.3.7 | 3.3.7 | Feb 24, 2026 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` fun | ||
| CVE-2025-64183 | — | >= 3.2.0, < 3.2.5 | 3.2.5 | Nov 10, 2025 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of | ||
| CVE-2025-64182 | — | >= 3.2.0, < 3.2.5 | 3.2.5 | Nov 10, 2025 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter | ||
| CVE-2025-64181 | — | >= 3.3.0, < 3.3.6 | 3.3.6 | Nov 10, 2025 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch | ||
| CVE-2025-48074 | — | >= 3.3.2, < 3.3.3 | 3.3.3 | Aug 1, 2025 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocatio | ||
| CVE-2025-48073 | — | >= 3.3.2, < 3.3.3 | 3.3.3 | Jul 31, 2025 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target a | ||
| CVE-2025-48072 | — | >= 3.3.2, < 3.3.3 | 3.3.3 | Jul 31, 2025 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-pac | ||
| CVE-2025-48071 | — | >= 3.3.0, < 3.3.3 | 3.3.3 | Jul 31, 2025 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep sca | ||
| CVE-2017-9112 | Med | 6.5 | < 2.2.1 | 2.2.1 | May 21, 2017 | In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash. | |
| CVE-2017-9111 | Hig | 8.8 | < 2.2.1 | 2.2.1 | May 21, 2017 | In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code. |
- affected >= 3.2.0, < 3.2.7fixed 3.2.7
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-b
- affected >= 3.1.0, < 3.2.7fixed 3.2.7
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmeti
- affected >= 3.4.0, < 3.4.8fixed 3.4.8
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that dec
- affected >= 3.4.0, < 3.4.8fixed 3.4.8
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (inform
- CVE-2026-27622Mar 3, 2026affected >= 2.3.0, < 3.2.6fixed 3.2.6
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector total_sizes for attacker-controlled larg
- CVE-2026-26981Feb 24, 2026affected >= 3.3.0, < 3.3.7fixed 3.3.7
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` fun
- CVE-2025-64183Nov 10, 2025affected >= 3.2.0, < 3.2.5fixed 3.2.5
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of
- CVE-2025-64182Nov 10, 2025affected >= 3.2.0, < 3.2.5fixed 3.2.5
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter
- CVE-2025-64181Nov 10, 2025affected >= 3.3.0, < 3.3.6fixed 3.3.6
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch
- CVE-2025-48074Aug 1, 2025affected >= 3.3.2, < 3.3.3fixed 3.3.3
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocatio
- CVE-2025-48073Jul 31, 2025affected >= 3.3.2, < 3.3.3fixed 3.3.3
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target a
- CVE-2025-48072Jul 31, 2025affected >= 3.3.2, < 3.3.3fixed 3.3.3
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-pac
- CVE-2025-48071Jul 31, 2025affected >= 3.3.0, < 3.3.3fixed 3.3.3
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep sca
- affected < 2.2.1fixed 2.2.1
In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash.
- affected < 2.2.1fixed 2.2.1
In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code.