JLSEC-2026-131 — Vulnetix

JLSEC-2026-131 PUBLISHED

In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.

Affected Products

Vendor	Product	Versions
Julia	OpenEXR_jll	3.1.4+0, 3.1.4+0

Timeline

Apr 17, 2026 CVE Published
Apr 17, 2026 CVE Updated
May 1, 2026 Distribution Patch

References

https://bugzilla.redhat.com/show_bug.cgi?id=2019789 url
https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I2JSMJ7HLWFPYYV7IAQZD5ZUUUN7RWBN/ url
https://security.gentoo.org/glsa/202210-31 url
https://www.debian.org/security/2022/dsa-5299 url

Open in Interactive Console →