Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` function in `ImfContextInit.cpp` when parsing a malformed EXR file through a memory-mapped `IStream`. A signed integer subtraction produces a negative value that is implicitly converted to `size_t`, resulting in a massive length being passed to `memcpy`. Versions 3.3.7 and 3.4.5 contain a patch.

INFO

Published Date :

2026-02-24T02:26:16.659Z

Last Modified :

2026-02-24T20:03:54.667Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26981 vulnerability.

Vendors Products
Academysoftwarefoundation
  • Openexr
Openexr
  • Openexr
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26981.

URL Resource
https://github.com/AcademySoftwareFoundation/openexr/commit/6bb2ddf1068573d073edf81270a015b38cc05cef cve-icon cve-icon cve-icon
https://github.com/AcademySoftwareFoundation/openexr/commit/d2be382758adc3e9ab83a3de35138ec28d93ebd8 cve-icon cve-icon cve-icon
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q6vj-wxvf-5m8c cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-26981 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-26981 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact