QwikSec

Security Database

CVE

CWE

Training

CVE-2026-42217

Published: May 7, 2026

Modified: May 7, 2026

PUBLISHED

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable-length integer from untrusted EXR input without bounding the shift count. After enough continuation bytes, the code executes a left shift by 70 on a 64-bit value, which is undefined behavior. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

Vendor	Product	Versions
AcademySoftwareFoundation	openexr	affected `>= 3.0.0, < 3.2.9` affected `>= 3.3.0, < 3.3.11` affected `>= 3.4.0, < 3.4.11`

Weaknesses (CWE)

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3c67-4wwp-w52m

x_refsource_CONFIRM

https://github.com/AcademySoftwareFoundation/openexr/pull/2378

x_refsource_MISC

https://github.com/AcademySoftwareFoundation/openexr/commit/21eaa33bcbbb0c83a5fc42f6b6d65b70a996e63c

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.