OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion
Summary
| CVE | CVE-2026-42216 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-07 04:16:34 UTC |
| Updated | 2026-07-15 02:21:28 UTC |
| Description | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. |
Risk And Classification
Primary CVSS: v4.0 8.8 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000450000 probability, percentile 0.137810000 (date 2026-05-12)
Problem Types: CWE-125 | CWE-130 | CWE-125 CWE-125: Out-of-bounds Read | CWE-130 Improper Handling of Length Parameter Inconsistency
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 8.8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | ADP | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | AcademySoftwareFoundation | Openexr | affected >= 3.0.0, < 3.2.9 | Not specified |
| CNA | AcademySoftwareFoundation | Openexr | affected >= 3.3.0, < 3.3.11 | Not specified |
| CNA | AcademySoftwareFoundation | Openexr | affected >= 3.4.0, < 3.4.11 | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | unaffected 0:3.1.10-8.el10_2.3 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10.0 Extended Update Support | unaffected 0:3.1.10-8.el10_0.3 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | unaffected 0:3.1.1-3.el9_8.3 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.2 Update Services For SAP Solutions | unaffected 0:3.1.1-2.el9_2.4 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.4 Update Services For SAP Solutions | unaffected 0:3.1.1-2.el9_4.4 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.6 Extended Update Support | unaffected 0:3.1.1-3.el9_6.3 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:39026 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:38498 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65... | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Mitigation, Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42216.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-42216 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:39024 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:39025 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:38499 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:39027 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-07T05:02:12.164Z | Reported to Red Hat. |
| ADP | 2026-05-07T04:01:59.602Z | Made public. |
Solutions
ADP: RHSA-2026:39024: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)
ADP: RHSA-2026:38499: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)
ADP: RHSA-2026:39027: Red Hat Enterprise Linux AppStream E4S (v.9.2)
ADP: RHSA-2026:39026: Red Hat Enterprise Linux AppStream E4S (v.9.4)
ADP: RHSA-2026:39025: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:38498: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)
Workarounds
ADP: To mitigate this issue, avoid processing untrusted or unverified EXR image files. Users should exercise caution when opening EXR files from unknown or suspicious sources, as this vulnerability requires user interaction with a malicious file.