VIR Vulnerability Intelligence Relay

CVE-2026-42217

critical
Published 2026-05-07 · Modified 2026-05-08
CVSS v3
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
VIR risk
9.8

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable-length integer from untrusted EXR input without bounding the shift count. After enough continuation bytes, the code executes a left shift by 70 on a 64-bit value, which is undefined behavior. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-42217

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-42217.html

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3c67-4wwp-w52m

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/AcademySoftwareFoundation/openexr/pull/2378

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/AcademySoftwareFoundation/openexr/commit/21eaa33bcbbb0c83a5fc42f6b6d65b70a996e63c

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyaffected
debian debiansidaffected
debian debiantrixieaffected

Application impact
VendorProductVersionsFixed
openexropenexr{"startIncluding":"3.0.0","endExcluding":"3.2.9"}3.2.9

References

CWEs

CWE-190

Verify integrity in audit chain (admin only). AS-IS.