rpm package

opensuse/openexr&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/openexr&distro=openSUSE%20Tumbleweed

Vulnerabilities (37)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-45696		—	< 3.4.12-1.1	3.4.12-1.1	Jun 18, 2026	OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, the HTJ2K (High-Throughput JPEG 2000) decoder, ht_undo_impl() in OpenEXRCore is vulnerable to a heap-buffer-overflow R
CVE-2026-44663		—	< 3.4.12-1.1	3.4.12-1.1	Jun 18, 2026	OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, an integer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp leads to a heap-buffer overflow when deco
CVE-2026-42217	Cri	9.8	< 3.4.11-1.1	3.4.11-1.1	May 7, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable
CVE-2026-42216	Cri	9.1	< 3.4.11-1.1	3.4.11-1.1	May 7, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a
CVE-2026-41142	Hig	8.8	< 3.4.11-1.1	3.4.11-1.1	May 7, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::
CVE-2026-40250	Hig	7.1	< 3.4.9-4.1	3.4.9-4.1	Apr 21, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width *
CVE-2026-40244	Hig	7.1	< 3.4.9-4.1	3.4.9-4.1	Apr 21, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width *
CVE-2026-39886	Med	5.3	< 3.4.9-4.1	3.4.9-4.1	Apr 21, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Versions 3.4.0 through 3.4.9 have a signed integer overflow vulnerability in OpenEXR's HTJ2K (High-Throughput JPEG 2000) decompression
CVE-2026-34589	Med	5.0	< 3.4.9-1.1	3.4.9-1.1	Apr 6, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-b
CVE-2026-34588	Hig	7.8	< 3.4.9-1.1	3.4.9-1.1	Apr 6, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmeti
CVE-2026-34380	Med	5.9	< 3.4.9-1.1	3.4.9-1.1	Apr 6, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr
CVE-2026-34379	Hig	7.1	< 3.4.9-1.1	3.4.9-1.1	Apr 6, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/Op
CVE-2026-34378	Med	6.5	< 3.4.9-1.1	3.4.9-1.1	Apr 6, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a sign
CVE-2026-34545	Hig	7.3	< 3.4.9-1.1	3.4.9-1.1	Apr 1, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 327
CVE-2026-34544	Hig	7.3	< 3.4.9-1.1	3.4.9-1.1	Apr 1, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that dec
CVE-2026-34543	Hig	7.5	< 3.4.9-1.1	3.4.9-1.1	Apr 1, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (inform
CVE-2026-27622		—	< 3.4.6-1.1	3.4.6-1.1	Mar 3, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector total_sizes for attacker-controlled larg
CVE-2026-26981		—	< 3.4.5-1.1	3.4.5-1.1	Feb 24, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` fun
CVE-2025-12840		—	< 3.4.3-2.1	3.4.3-2.1	Dec 23, 2025	Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required
CVE-2025-12839		—	< 3.4.3-2.1	3.4.3-2.1	Dec 23, 2025	Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required

CVE-2026-45696Jun 18, 2026
affected < 3.4.12-1.1fixed 3.4.12-1.1
OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, the HTJ2K (High-Throughput JPEG 2000) decoder, ht_undo_impl() in OpenEXRCore is vulnerable to a heap-buffer-overflow R
CVE-2026-44663Jun 18, 2026
affected < 3.4.12-1.1fixed 3.4.12-1.1
OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, an integer overflow in ht_undo_impl() in src/lib/OpenEXRCore/internal_ht.cpp leads to a heap-buffer overflow when deco
CVE-2026-42217CriMay 7, 2026
affected < 3.4.11-1.1fixed 3.4.11-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable
CVE-2026-42216CriMay 7, 2026
affected < 3.4.11-1.1fixed 3.4.11-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a
CVE-2026-41142HigMay 7, 2026
affected < 3.4.11-1.1fixed 3.4.11-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::
CVE-2026-40250HigApr 21, 2026
affected < 3.4.9-4.1fixed 3.4.9-4.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1040` performs `chan->width *
CVE-2026-40244HigApr 21, 2026
affected < 3.4.9-4.1fixed 3.4.9-4.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, `internal_dwa_compressor.h:1722` performs `curc->width *
CVE-2026-39886MedApr 21, 2026
affected < 3.4.9-4.1fixed 3.4.9-4.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Versions 3.4.0 through 3.4.9 have a signed integer overflow vulnerability in OpenEXR's HTJ2K (High-Throughput JPEG 2000) decompression
CVE-2026-34589MedApr 6, 2026
affected < 3.4.9-1.1fixed 3.4.9-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-b
CVE-2026-34588HigApr 6, 2026
affected < 3.4.9-1.1fixed 3.4.9-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmeti
CVE-2026-34380MedApr 6, 2026
affected < 3.4.9-1.1fixed 3.4.9-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr
CVE-2026-34379HigApr 6, 2026
affected < 3.4.9-1.1fixed 3.4.9-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/Op
CVE-2026-34378MedApr 6, 2026
affected < 3.4.9-1.1fixed 3.4.9-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a sign
CVE-2026-34545HigApr 1, 2026
affected < 3.4.9-1.1fixed 3.4.9-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 327
CVE-2026-34544HigApr 1, 2026
affected < 3.4.9-1.1fixed 3.4.9-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that dec
CVE-2026-34543HigApr 1, 2026
affected < 3.4.9-1.1fixed 3.4.9-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (inform
CVE-2026-27622Mar 3, 2026
affected < 3.4.6-1.1fixed 3.4.6-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector total_sizes for attacker-controlled larg
CVE-2026-26981Feb 24, 2026
affected < 3.4.5-1.1fixed 3.4.5-1.1
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` fun
CVE-2025-12840Dec 23, 2025
affected < 3.4.3-2.1fixed 3.4.3-2.1
Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required
CVE-2025-12839Dec 23, 2025
affected < 3.4.3-2.1fixed 3.4.3-2.1
Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required

Page 1 of 2