VDB
CVE-2026-42216
CVE-2026-42216
PUBLISHED
CVSS 8.800000190734863 HIGH
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.
EPSS 0.06% · 18.7th percentile
Risk Scores
CVSS v4.0
8.800000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.06%
18.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| AcademySoftwareFoundation | openexr | >= 3.0.0, < 3.2.9, >= 3.4.0, < 3.4.11, * |
Timeline
- May 7, 2026 CVE Published
- May 7, 2026 PoC Published
- May 7, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score