CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-42216 — OpenEXR provides the specification and reference implementation of the EXR file ...

·Source: NIST NVD

Updated:

Executive Summary

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin

Analysis

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. CVSS Score: 9.1. Published: 2026-05-07T04:16:34.220.

Indicators of Compromise (1)

CVE (1)
CVE-2026-42216
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on May 7, 2026. Verified by: NIST.

Related Threats

LOWVulnerabilityNEW

Attackers Combine ClickFix With PySoxy Proxying to Maintain Persistence

Exploitation of open-source tools allows attackers to maintain persistent access after initial social engineering, warn ReliaQuest researchers

Infosecurity Magazine
MEDIUMVulnerability

Moneyline selects NatWest Payit for variable recurring payments

East Lancashire Moneyline, the UK‑based not‑for‑profit social lender, has partnered with Payit by NatWest, NatWest Group’s Open Banking payments business, to introduce a more flexible, customer‑controlled way for borrowers to repay their loans using Variable Recurring Payments (VRP).

Finextra
MEDIUMVulnerabilityPOC

Copy.Fail Linux Vulnerability

This is the worst Linux vulnerability in years. TL;DR copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC. It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own. The exploit works unmodified across Ubu

Schneier on Security