PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42216 AcademySoftwareFoundation CVE debrief

CVE-2026-42216 is a high-severity vulnerability in OpenEXR, an image storage format for the motion picture industry. The vulnerability affects versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11. The issue arises from the IDManifest::init() function, which reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. However, the code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This vulnerability has been patched in versions 3.2.9, 3.3.11, and 3.4.11. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability was published on May 7, 2026, and last modified on June 30, 2026.

Vendor
AcademySoftwareFoundation
Product
openexr
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-07
Original CVE updated
2026-06-30
Advisory published
2026-05-07
Advisory updated
2026-06-30

Who should care

Organizations using OpenEXR versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11 should prioritize patching this vulnerability. This includes motion picture industry companies and any other organizations that utilize OpenEXR for image storage. Given the high CVSS score of 8.8, immediate attention is recommended to prevent potential exploitation.

Technical summary

The vulnerability in OpenEXR arises from the IDManifest::init() function, which improperly handles prefix-compressed string representations. Specifically, when the previous string exceeds 255 bytes, the code assumes the next string starts with a 2-byte prefix length. However, it does not verify that the current string has at least two bytes before reading stringList[i][0] and stringList[i][1]. This oversight can lead to buffer overflows or other memory corruption issues. The affected versions are 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, with patches available in versions 3.2.9, 3.3.11, and 3.4.11.

Defensive priority

High priority should be given to patching CVE-2026-42216 due to its high CVSS score of 8.8. Organizations should update OpenEXR to versions 3.2.9, 3.3.11, or 3.4.11 as soon as possible to mitigate the risk of exploitation.

Recommended defensive actions

  • Update OpenEXR to version 3.2.9, 3.3.11, or 3.4.11 to patch the vulnerability.
  • Review and update inventory of systems and applications using OpenEXR to ensure they are not vulnerable.
  • Implement compensating controls, such as monitoring for suspicious activity related to OpenEXR files.
  • Verify that vendor remediation workflows are in place and functioning correctly.
  • Track exceptions for any systems that cannot be immediately patched.

Evidence notes

The CVE-2026-42216 vulnerability is documented in the official CVE record and NVD detail pages. Additional information is available from the OpenEXR security advisory and Red Hat security advisories. The vulnerability has a CVSS score of 8.8, indicating high severity. The issue is related to CWE-125 and CWE-130 weaknesses.

Official resources

This article is AI-assisted and based on the supplied source corpus.