CVE-2026-42216

Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.0.0 through 3.2.8 OpenEXR versions 3.3.0 through 3.3.10 OpenEXR versions 3.4.0 through 3.4.10

Description The IDManifest::init() function reconstructs strings from a prefix-compressed representation. When a previous string exceeds 255 bytes, the subsequent string is expected to start with a 2-byte prefix length. The software reads the first two bytes of the current string without verifying that the string contains at least two bytes, leading to a buffer over-read (reading data beyond the end of the intended buffer).

Recommendations Update versions 3.0.0 through 3.2.8 to version 3.2.9. Update versions 3.3.0 through 3.3.10 to version 3.3.11. Update versions 3.4.0 through 3.4.10 to version 3.4.11.