Zero Day MonitorZDM

← Back to list

—

CVE-2026-42216EXPLOITED

openexr · openexr

OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

Affected Products

Vendor	Product	Versions
openexr	openexr	>= 3.0.0, < 3.2.9, >= 3.3.0, < 3.3.11, >= 3.4.0, < 3.4.11

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-42216 | AcademySoftwareFoundation OpenEXR up to 3.2.8/3.3.10/3.4.10 EXR File IDManifest::init out-of-bounds (GHSA-65j8-95g9-jgj4 / EUVD-2026-28298)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-125

PublishedMay 7, 2026

Last enriched4d agov2

Trending Score29

Source articles1

Independent1

Info Completeness7/14

Missing: cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-34588EXP

OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write

MEDIUMCVE-2026-39886EXP

OpenEXR has HTJ2K Signed Integer Overflow in ht_undo_impl()

NONECVE-2026-40244EXP

OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)

NONECVE-2026-40250EXP

OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

HIGHCVE-2026-34379

OpenEXR has a misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 7, 2026

Discovered by ZDM

May 7, 2026

Updated: description, severity, affectedVersions, activelyExploited

May 7, 2026

Actively Exploited

May 7, 2026

Version History

v2

Last enriched 4d ago

v2Tier C4d ago

Updated severity to CRITICAL, added affected versions up to 3.2.8/3.3.10/3.4.10, and noted that no exploit exists.

descriptionseverityaffectedVersionsactivelyExploited

via VulDB

v14d ago

Initial creation