CVE-2026-42216
Heap Buffer Overflow in OpenEXR Image Library
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openexr | openexr | From 3.0.0 (inc) to 3.2.9 (exc) |
| openexr | openexr | From 3.3.0 (inc) to 3.3.11 (exc) |
| openexr | openexr | From 3.4.0 (inc) to 3.4.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-42216 vulnerability is an out-of-bounds read issue in the OpenEXR library's IDManifest::init() function. It happens when the code tries to reconstruct strings from a prefix-compressed format by reading the first two bytes of a string without checking if the string is at least two bytes long. If the string is empty or shorter than two bytes, this leads to reading invalid memory.
This flaw occurs because the code uses stringList[i][0] and stringList[i][1] to calculate a common prefix length without validating the string's length first.
The vulnerability can cause heap memory leaks or process crashes depending on how an attacker manipulates the heap layout.
It affects OpenEXR versions from 3.0.0 up to 3.4.10 and has been fixed in versions 3.2.9, 3.3.11, and 3.4.11 by adding proper length validation before reading the prefix bytes.
How can this vulnerability impact me? :
This vulnerability can impact you by causing your application or system using the OpenEXR library to crash unexpectedly due to out-of-bounds memory reads.
Additionally, it may lead to heap memory leaks, which can degrade system performance or stability over time.
If an attacker can control the heap layout, they might exploit this flaw to cause denial of service or potentially other unpredictable behavior.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an out-of-bounds read in the IDManifest::init() function of the OpenEXR library when processing prefix-compressed strings. Detection would involve identifying usage of vulnerable OpenEXR versions (3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11) on your system.
You can check the installed OpenEXR version using commands like:
- `openexr --version`
- `dpkg -l | grep openexr` (on Debian-based systems)
- `rpm -qa | grep openexr` (on RPM-based systems)
Additionally, monitoring for crashes or heap memory leaks in applications using OpenEXR could indicate exploitation attempts, but no specific detection commands or network signatures are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenEXR to a patched version where this vulnerability is fixed.
- Upgrade to OpenEXR version 3.2.9 or later in the 3.2.x series.
- Upgrade to OpenEXR version 3.3.11 or later in the 3.3.x series.
- Upgrade to OpenEXR version 3.4.11 or later in the 3.4.x series.
The fix involves validating string lengths before reading prefix bytes to prevent out-of-bounds reads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-42216 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.