OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the istream_nonparallel_read function in ImfContextInit.cpp when parsing a malformed EXR file through a memory-mapped IStream. A signed integer subtraction produces a negative value that is implicitly converted to size_t, resulting in a massive length being passed to memcpy. Versions 3.3.7 and 3.4.5 contain a patch.
{
"cwe_ids": [
"CWE-195"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26981.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.7"
},
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.5"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}[
{
"source": "https://github.com/academysoftwarefoundation/openexr/commit/d2be382758adc3e9ab83a3de35138ec28d93ebd8",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "203178239813441149423426696725067004647",
"length": 1486.0
},
"deprecated": false,
"id": "CVE-2026-26981-5a525b97",
"target": {
"function": "istream_nonparallel_read",
"file": "src/lib/OpenEXR/ImfContextInit.cpp"
}
},
{
"source": "https://github.com/academysoftwarefoundation/openexr/commit/6bb2ddf1068573d073edf81270a015b38cc05cef",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "203178239813441149423426696725067004647",
"length": 1486.0
},
"deprecated": false,
"id": "CVE-2026-26981-5a646843",
"target": {
"function": "istream_nonparallel_read",
"file": "src/lib/OpenEXR/ImfContextInit.cpp"
}
},
{
"source": "https://github.com/academysoftwarefoundation/openexr/commit/6bb2ddf1068573d073edf81270a015b38cc05cef",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"201273958621668520371750826698792441326",
"120460579602726193602003540117105330515",
"141391920219548362044519675177848764342",
"161735030611050642409771232174642374808",
"14794179868677938007826040057612910107",
"114259587418400404575152605867966412692",
"186364034641259611919768213429269351078",
"114884463824472841261294685087723496704"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-26981-b85cb1d7",
"target": {
"file": "src/lib/OpenEXR/ImfContextInit.cpp"
}
},
{
"source": "https://github.com/academysoftwarefoundation/openexr/commit/d2be382758adc3e9ab83a3de35138ec28d93ebd8",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"201273958621668520371750826698792441326",
"120460579602726193602003540117105330515",
"141391920219548362044519675177848764342",
"161735030611050642409771232174642374808",
"14794179868677938007826040057612910107",
"114259587418400404575152605867966412692",
"186364034641259611919768213429269351078",
"114884463824472841261294685087723496704"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-26981-b941da6f",
"target": {
"file": "src/lib/OpenEXR/ImfContextInit.cpp"
}
}
]
"2026-07-15T15:53:36Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26981.json"