The vulnerability CVE-2026-26981 affects the openexr library maintained by the AcademySoftwareFoundation, which implements the EXR image file format widely used in the motion picture industry. The flaw exists in versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4 within the istream_nonparallel_read function in ImfContextInit.cpp. When parsing a malformed EXR file through a memory-mapped input stream, a signed integer subtraction results in a negative value that is implicitly converted to an unsigned size_t type. This conversion causes an excessively large length parameter to be passed to memcpy, leading to a heap-based buffer overflow due to out-of-bounds memory access. This vulnerability is classified under CWE-195 (Signed to Unsigned Conversion Error). Exploitation requires the victim to process a maliciously crafted EXR file, which triggers the overflow. The impact is primarily on availability, as the overflow can cause application crashes or denial of service. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction. The vulnerability does not affect confidentiality or integrity directly. The issue has been fixed in openexr versions 3.3.7 and 3.4.5. No public exploits have been reported to date.

This vulnerability can cause denial of service by crashing applications that parse EXR files using vulnerable openexr versions. In environments where openexr is integrated into media production pipelines, automated image processing, or rendering workflows, an attacker could disrupt operations by supplying malformed EXR files. While no direct confidentiality or integrity compromise is indicated, the availability impact could delay production schedules and cause operational downtime. Since exploitation requires user interaction (opening or processing a crafted file), the risk is mitigated somewhat but remains significant in environments processing untrusted EXR files. The lack of privilege requirements and network attack vector means attackers can remotely trigger the issue if file ingestion is exposed. Organizations relying on openexr for critical imaging tasks should consider this a medium risk that could affect service continuity.

1. Upgrade openexr to versions 3.3.7 or 3.4.5 or later, where the vulnerability is patched. 2. Implement strict validation and sanitization of EXR files before processing, especially from untrusted sources. 3. Employ sandboxing or containerization for applications that parse EXR files to contain potential crashes or memory corruption. 4. Monitor application logs and crash reports for anomalies related to EXR file processing. 5. Restrict network exposure of services that automatically ingest EXR files to trusted sources only. 6. Educate users and operators about the risks of opening untrusted EXR files and enforce policies to avoid processing files from unknown origins. 7. Consider runtime memory protection mechanisms such as ASLR and DEP to mitigate exploitation impact. 8. Conduct regular vulnerability scanning and patch management to ensure timely updates.