Patch release for 3.2 that addresses the following security vulnerabilities:
-
CVE-2026-42217 Shift exponent overflow in
readVariableLengthInteger()(ImfIDManifest.cpp) -
CVE-2026-42216 Out-of-bounds read in
IDManifest::init()during prefix expansion -
CVE-2026-41142 Integer overflow in
ImageChannel::resizeleads to heap OOB write via OpenEXRUtil public API -
OSS-fuzz 504280155 Heap-buffer-overflow in
DwaCompressor_uncompress