Patch release that addresses the following security vulnerabilities:
-
CVE-2026-42217 Shift exponent overflow in
readVariableLengthInteger()(ImfIDManifest.cpp) -
CVE-2026-42216 Out-of-bounds read in
IDManifest::init()during prefix expansion -
CVE-2026-41142 Integer overflow in
ImageChannel::resizeleads to heap OOB write via OpenEXRUtil public API -
OSS-fuzz 504280155 Heap-buffer-overflow in
DwaCompressor_uncompress -
OSS-fuzz 505062709 Null-dereference READ in
Imf_3_3::prefixFromLayerName
Build fixes:
- Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC
Also, some minor documentation updates:
- GitHub Security Advisories are the preferred way of reporting vulnerabilities, not email.
- Some clarification around handling of UFT-8 of file paths