CVE-2026-26981Signed to Unsigned Conversion Error in Openexr

CWE-195Signed to Unsigned Conversion ErrorCWE-191Integer Underflow (Wrap or Wraparound)7 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 94.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
OpenexrAcademysoftwarefoundation OpenexrDebian Openexr
Timeline
PublishedFeb 24
Latest updateApr 6

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` function in `ImfContextInit.cpp` when parsing a malformed EXR file through a memory-mapped `IStream`. A signed integer subtraction produces a negative value that is implicitly converted to `size_t`, resulting in a massive l

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDopenexr/openexr3.3.03.3.7+1
PyPIopenexr/openexr3.3.03.3.7+1
CVEListV5academysoftwarefoundation/openexr>= 3.3.0, < 3.3.7, >= 3.4.0, < 3.4.5+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp2026-04-06
OSV
OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp2026-04-06
OSV
CVE-2026-26981: OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry2026-02-24

📋Vendor Advisories

2
Red Hat
openexr: OpenEXR: Denial of Service via heap-buffer-overflow when parsing a malformed EXR file2026-02-24
Debian
CVE-2026-26981: openexr - OpenEXR provides the specification and reference implementation of the EXR file ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-26981 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-26981 — Signed to Unsigned Conversion Error | cvebase