CVE-2026-26981

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26981

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26981.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26981

Aliases

GHSA-q6vj-wxvf-5m8c

Downstream

UBUNTU-CVE-2026-26981

Related

CGA-2x67-6cjv-qx7p

Published

2026-02-24T02:26:16.659Z

Modified

2026-02-28T07:42:32.534710Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp

Details

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the istream_nonparallel_read function in ImfContextInit.cpp when parsing a malformed EXR file through a memory-mapped IStream. A signed integer subtraction produces a negative value that is implicitly converted to size_t, resulting in a massive length being passed to memcpy. Versions 3.3.7 and 3.4.5 contain a patch.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26981.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-195"
    ]
}

References

Affected packages

Git / github.com/academysoftwarefoundation/openexr

Affected ranges

Type: GIT
Repo: https://github.com/academysoftwarefoundation/openexr
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6bb2ddf1068573d073edf81270a015b38cc05cef

Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d2be382758adc3e9ab83a3de35138ec28d93ebd8

Affected versions

Other

OPENEXR_1_0_4

v1.*

v1.7.1

v2.*

v2.0.0

v2.0.0.GM

v2.0.0.beta.1

v2.0.0.beta.2

v2.0.1

v2.1.0

v2.2.0

v2.3.0

v2.4.0

v2.4.0-beta.1

v2.5.0

v3.*

v3.0.0-beta

v3.2.0-rc

v3.3.0

v3.3.0-rc

v3.3.0-rc1

v3.3.0-rc2

v3.3.1

v3.3.1-rc

v3.3.2

v3.3.2-rc

v3.3.2-rc2

v3.3.2-rc3

v3.3.2-rc4

v3.3.3

v3.3.3-rc

v3.3.3-rc1

v3.3.4

v3.3.4-rc

v3.3.5

v3.3.5-rc

v3.3.5-rc3

v3.3.6

v3.3.6-rc

v3.3.6-rc2

v3.3.6-rc3

v3.3.6-rc4

v3.4-alpha

v3.4.0

v3.4.0-rc

v3.4.1

v3.4.1-rc

v3.4.1-rc2

v3.4.2

v3.4.2-rc

v3.4.2-rc2

v3.4.3

v3.4.3-rc

v3.4.3-rc2

v3.4.3-rc3

v3.4.4

v3.4.4-rc

v3.4.4-rc2

Database specific

vanir_signatures

[
    {
        "id": "CVE-2026-26981-5a525b97",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/academysoftwarefoundation/openexr/commit/d2be382758adc3e9ab83a3de35138ec28d93ebd8",
        "target": {
            "function": "istream_nonparallel_read",
            "file": "src/lib/OpenEXR/ImfContextInit.cpp"
        },
        "digest": {
            "length": 1486.0,
            "function_hash": "203178239813441149423426696725067004647"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2026-26981-5a646843",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/academysoftwarefoundation/openexr/commit/6bb2ddf1068573d073edf81270a015b38cc05cef",
        "target": {
            "function": "istream_nonparallel_read",
            "file": "src/lib/OpenEXR/ImfContextInit.cpp"
        },
        "digest": {
            "length": 1486.0,
            "function_hash": "203178239813441149423426696725067004647"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2026-26981-b85cb1d7",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/academysoftwarefoundation/openexr/commit/6bb2ddf1068573d073edf81270a015b38cc05cef",
        "target": {
            "file": "src/lib/OpenEXR/ImfContextInit.cpp"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "201273958621668520371750826698792441326",
                "120460579602726193602003540117105330515",
                "141391920219548362044519675177848764342",
                "161735030611050642409771232174642374808",
                "14794179868677938007826040057612910107",
                "114259587418400404575152605867966412692",
                "186364034641259611919768213429269351078",
                "114884463824472841261294685087723496704"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2026-26981-b941da6f",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/academysoftwarefoundation/openexr/commit/d2be382758adc3e9ab83a3de35138ec28d93ebd8",
        "target": {
            "file": "src/lib/OpenEXR/ImfContextInit.cpp"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "201273958621668520371750826698792441326",
                "120460579602726193602003540117105330515",
                "141391920219548362044519675177848764342",
                "161735030611050642409771232174642374808",
                "14794179868677938007826040057612910107",
                "114259587418400404575152605867966412692",
                "186364034641259611919768213429269351078",
                "114884463824472841261294685087723496704"
            ]
        },
        "signature_type": "Line"
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26981.json"

Git / github.com/openexr/openexr