VuXML: OpenEXR -- 3.4.12 fixes multiple vulnerabilities

VuXML ID	ca91c020-5820-11f1-b38d-9be2e6022e28
Discovery	2026-05-25
Entry	2026-05-25

Cary Phillips reports:

[The OpenEXR 3.4.12] release addresses the following security vulnerabilities:

CVE-2026-45696 OpenEXR ht_undo_impl heap-buffer-overflow READ via codestream/channel width mismatch in HTJ2K decode

CVE-2026-44663 Integer overflow in HTJ2K decoder ( ht_undo_impl ) leading to heap-buffer-overflow

OSS-Fuzz 512895184 Null-dereference WRITE in Imf_4_0::TileProcess::run_decode

OSS-fuzz 512314697 Direct-leak in internal_exr_add_part

OSS-fuzz 508362159 Heap-buffer-overflow in DwaCompressor_uncompress

OSS-fuzz 507413960 Heap-buffer-overflow in generic_unpack

[source]

CVE Name	CVE-2026-44663
CVE Name	CVE-2026-45696
URL	https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.12

OpenEXR -- 3.4.12 fixes multiple vulnerabilities

Details

References