Patch release that addresses several security vulnerabilities.
This release also fixes a build issue where the library symlinks would get installed in the incorrect location when overriding the cached install prefix path.
This release addresses the following CVEs:
- CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
- CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
- CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
- CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
- CVE-2026-34378 Signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x