CVE-2026-42216
Analyzed Analyzed - Analysis Complete
Heap Buffer Overflow in OpenEXR Image Library

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42216
EUVD
EUVD-2026-28298
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openexr openexr From 3.0.0 (inc) to 3.2.9 (exc)
openexr openexr From 3.3.0 (inc) to 3.3.11 (exc)
openexr openexr From 3.4.0 (inc) to 3.4.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-42216 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The CVE-2026-42216 vulnerability is an out-of-bounds read issue in the OpenEXR library's IDManifest::init() function. It happens when the code tries to reconstruct strings from a prefix-compressed format by reading the first two bytes of a string without checking if the string is at least two bytes long. If the string is empty or shorter than two bytes, this leads to reading invalid memory.

This flaw occurs because the code uses stringList[i][0] and stringList[i][1] to calculate a common prefix length without validating the string's length first.

The vulnerability can cause heap memory leaks or process crashes depending on how an attacker manipulates the heap layout.

It affects OpenEXR versions from 3.0.0 up to 3.4.10 and has been fixed in versions 3.2.9, 3.3.11, and 3.4.11 by adding proper length validation before reading the prefix bytes.

Impact Analysis

This vulnerability can impact you by causing your application or system using the OpenEXR library to crash unexpectedly due to out-of-bounds memory reads.

Additionally, it may lead to heap memory leaks, which can degrade system performance or stability over time.

If an attacker can control the heap layout, they might exploit this flaw to cause denial of service or potentially other unpredictable behavior.

Detection Guidance

This vulnerability involves an out-of-bounds read in the IDManifest::init() function of the OpenEXR library when processing prefix-compressed strings. Detection would involve identifying usage of vulnerable OpenEXR versions (3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11) on your system.

You can check the installed OpenEXR version using commands like:

  • `openexr --version`
  • `dpkg -l | grep openexr` (on Debian-based systems)
  • `rpm -qa | grep openexr` (on RPM-based systems)

Additionally, monitoring for crashes or heap memory leaks in applications using OpenEXR could indicate exploitation attempts, but no specific detection commands or network signatures are provided.

Mitigation Strategies

The primary mitigation step is to upgrade OpenEXR to a patched version where this vulnerability is fixed.

  • Upgrade to OpenEXR version 3.2.9 or later in the 3.2.x series.
  • Upgrade to OpenEXR version 3.3.11 or later in the 3.3.x series.
  • Upgrade to OpenEXR version 3.4.11 or later in the 3.4.x series.

The fix involves validating string lengths before reading prefix bytes to prevent out-of-bounds reads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart