SUSE Package Hub - SUSE-PackageHub-16.0-750

Update Info

SUSE-PackageHub-16.0-750

Security update for openexr

Type: security

Severity: important

Issued: 2026-05-15

Description:

This update for openexr fixes the following issues

- CVE-2026-41142: integer overflow in `ImageChannel: resize` can lead to a heap out-of-bounds write via OpenEXRUtil
  public API (bsc#1264356).
- CVE-2026-42216: missing checks in `IDManifest: init()` can lead to out-of-bounds read during prefix expansion
  (bsc#1264354).
- CVE-2026-42217: missing bounds check for shift counter in `readVariableLengthInteger` can lead to shift exponent
  overflow and cause undefined behavior (bsc#1264353).

References

CVE: CVE-2026-42217
CVE: CVE-2026-42216
CVE: CVE-2026-41142
Bugzilla: 1264356 VUL-0: CVE-2026-41142: openexr: integer overflow in `ImageChannel::resize` can lead to a heap out-of-bounds write via OpenEXRUtil public API
Bugzilla: 1264354 VUL-0: CVE-2026-42216: openexr: missing checks in `IDManifest::init()` can lead to out-of-bounds read during prefix expansion
Bugzilla: 1264353 VUL-0: CVE-2026-42217: openexr: missing bounds check for shift counter in `readVariableLengthInteger` can lead to shift exponent overflow and cause undefined behavior

Packages

openexr-3.2.2-160000.8.1