CVE-2026-42216

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-42216
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42216.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-42216
Aliases
  • GHSA-65j8-95g9-jgj4
Downstream
Related
Published
2026-05-07T04:01:59.602Z
Modified
2026-06-18T03:55:17.891916327Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion
Details

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-125"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42216.json"
}
References

Affected packages

Git / github.com/academysoftwarefoundation/openexr

Affected ranges

Type
GIT
Repo
https://github.com/academysoftwarefoundation/openexr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
97f56983d93adc6eb9e6789c144720224de48490
Introduced
c7d3eac70ccde2c4ed484c6638b83ba872f71464
Fixed
c949e9f7be387daeac44797e04b7e6951e583901
Introduced
20a65852895894434bea88613f6d29ac8e88bd6e
Fixed
d25e2a83b5a5f0eb9e350de8218fa27c348da203
Database specific 
{
    "cpe": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.2.9"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.11"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.11"
        }
    ]
}

Affected versions

Other
OPENEXR_1_0_4
v1.*
v1.7.1
v2.*
v2.0.0
v2.0.0.GM
v2.0.1
v2.1.0
v2.3.0
v2.4.0
v2.4.0-beta.1
v2.5.0
v3.*
v3.0.0-beta
v3.2.0
v3.2.0-rc
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.2.1
v3.2.1-rc
v3.2.2
v3.2.2-rc
v3.2.2-rc2
v3.2.3
v3.2.3-rc
v3.2.3-rc2
v3.2.4
v3.2.4-rc
v3.2.4-rc2
v3.2.5
v3.2.5-rc
v3.2.6
v3.2.6-rc
v3.2.7
v3.2.7-rc
v3.2.8
v3.2.8-rc
v3.3.0
v3.3.0-rc2
v3.3.1
v3.3.1-rc
v3.3.10
v3.3.10-rc
v3.3.10-rc2
v3.3.2
v3.3.2-rc
v3.3.2-rc2
v3.3.2-rc3
v3.3.2-rc4
v3.3.3
v3.3.3-rc
v3.3.3-rc1
v3.3.4
v3.3.4-rc
v3.3.5
v3.3.5-rc
v3.3.5-rc3
v3.3.6
v3.3.6-rc
v3.3.6-rc2
v3.3.6-rc3
v3.3.6-rc4
v3.3.7
v3.3.7-rc
v3.3.7-rc2
v3.3.7-rc3
v3.3.7-rc4
v3.3.8
v3.3.8-rc
v3.3.9
v3.3.9-rc
v3.3.9-rc2
v3.4.0
v3.4.1
v3.4.1-rc
v3.4.1-rc2
v3.4.10
v3.4.10-rc
v3.4.11-rc
v3.4.11-rc2
v3.4.2
v3.4.2-rc
v3.4.2-rc2
v3.4.3
v3.4.3-rc
v3.4.3-rc2
v3.4.3-rc3
v3.4.4
v3.4.4-rc
v3.4.4-rc2
v3.4.5
v3.4.5-rc
v3.4.6
v3.4.6-rc
v3.4.7
v3.4.7-rc
v3.4.8
v3.4.8-rc
v3.4.9
v3.4.9-rc

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42216.json"