Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
OpenEXR file format allows malicious files to crash the application
CVE-2026-26981
Summary
A faulty file parsing error in OpenEXR versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4 could crash the application if it tries to open a manipulated image file. This is a security risk, especially for users in the motion picture industry. Update to versions 3.3.7 or 3.4.5 to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| openexr | openexr | > 3.3.0 , <= 3.3.7 | – |
| openexr | openexr | > 3.4.0 , <= 3.4.5 | – |
Original title
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3....
Original description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` function in `ImfContextInit.cpp` when parsing a malformed EXR file through a memory-mapped `IStream`. A signed integer subtraction produces a negative value that is implicitly converted to `size_t`, resulting in a massive length being passed to `memcpy`. Versions 3.3.7 and 3.4.5 contain a patch.
nvd CVSS3.1
6.5
Vulnerability type
CWE-195
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026