Patch release that addresses several bugs and security vulnerabilities.
- 🐛 Fix several minor memory leaks recovering from reading invalid files.
- 🐛 The compressor API incorrectly identified
HTJ2KandHTJ2K256as lossy; they are lossles. - 🐛 Fix CMake AVX feature detection that caused DWA SIMD code to fail on certain architectures.
- ⚠️ The
WidenFilenameutility function is marked as deprecated, to be removed in a future release. - ✨
exrmetricsnow print the on-disk size of the data portion of each part. Useful for determining compression impact on part data
For the python module:
- 🐍 🐛 Reject files where the dataWindows does not match the pixel array dimensions.
- 🐍 ✨ Support NumPy float vector attributes
- 🐍 ✨ Reading now skips over invalid parts, returns the valid parts only.
- 🐍 📖 Doc strings have proper indentation
This release addresses the following security vulnerabilities:
- CVE-2026-45696 OpenEXR
ht_undo_implheap-buffer-overflow READ via codestream/channel width mismatch in HTJ2K decode - CVE-2026-44663 Integer overflow in HTJ2K decoder (
ht_undo_impl) leading to heap-buffer-overflow - OSS-Fuzz 512895184 Null-dereference WRITE in
Imf_4_0::TileProcess::run_decode - OSS-fuzz 512314697 Direct-leak in
internal_exr_add_part - OSS-fuzz 508362159 Heap-buffer-overflow in
DwaCompressor_uncompress - OSS-fuzz 507413960 Heap-buffer-overflow in
generic_unpack