CVE-2026-26981

Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.3.0 through 3.3.6 OpenEXR versions 3.4.0 through 3.4.4

Description OpenEXR is an image storage format used in the motion picture industry. A heap-buffer-overflow (out-of-bounds read) can occur in the istream nonparallel read function within the ImfContextInit.cpp file when processing a specially crafted, malformed EXR file using a memory-mapped IStream. This happens because a negative value resulting from a signed integer subtraction is converted to size t, leading to an excessively large length being used in a memcpy operation.

Recommendations Update to OpenEXR version 3.3.7 or later. Update to OpenEXR version 3.4.5 or later.