CVE-2026-45696 AcademySoftwareFoundation CVE debrief

Who should care

Organizations and individuals who use OpenEXR, particularly in the motion picture industry, should be aware of this vulnerability. This includes developers, asset pipelines, thumbnailers, and anyone who opens untrusted EXR files.

Technical summary

The HTJ2K decoder, ht_undo_impl() in OpenEXRCore, is vulnerable to a heap-buffer-overflow READ. The ht_undo_impl function copies decoded pixels out of a per-line OpenJPH buffer using the EXR channel's declared width as the iteration count, without validating the OpenJPH line buffer's actual length. A crafted EXR file can declare different (smaller) tile/line dimensions than the EXR header advertises, leading to a 4-byte heap-buffer-overflow READ immediately after a buffer allocated by ojph::local::codestream::finalize_alloc().

Defensive priority

High

Recommended defensive actions

• Update OpenEXR to version 3.4.12 or later
• Avoid opening untrusted EXR files
• Use secure decoding practices when handling EXR files
• Implement additional security measures, such as sandboxing or validating EXR file contents
• Monitor for and respond to potential exploitation attempts
• Consider using alternative image formats or libraries with built-in security features

Evidence notes

The vulnerability is caused by a lack of validation in the ht_undo_impl function. The OpenEXR library does not properly check the OpenJPH line buffer's actual length, leading to a heap-buffer-overflow READ. This issue has been fixed in version 3.4.12.

Official resources