Main Vulnerability Database Vulnerabilities #VU129653

Integer overflow in OpenEXR - CVE-2026-42217

Published: May 5, 2026

Vulnerability identifier: #VU129653

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-42217

CWE-ID: CWE-190

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEXR

Affected software:
OpenEXR

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.

The vulnerability exists due to integer overflow or wraparound in readVariableLengthInteger() in ImfIDManifest.cpp when parsing a crafted EXR file containing an idmanifest attribute. A remote attacker can supply a specially crafted EXR file to cause a denial of service and disclose sensitive information.

The corrupted return value is used as a string-list length in readStringList(), which can lead to reads beyond the end of the supplied buffer. User interaction is required to open or process the crafted EXR file.

How to mitigate CVE-2026-42217

Install security update from vendor's website.

Sources

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3c67-4wwp-w52m

Integer overflow in OpenEXR - CVE-2026-42217

Detailed vulnerability description

How to mitigate CVE-2026-42217

Sources

Please verify you're human