CVE-2026-26981

OpenEXR CVE-2026-26981 affects 3.3.0–3.3.6 and 3.4.0–3.4.4; a heap-buffer-overflow (OOB read) occurs in istream_nonparallel_read in ImfContextInit.cpp when parsing a malformed EXR via a memory-mapped IStream. A signed integer subtraction becomes a negative value that is implicitly cast to size_t,...