Nixpkgs security tracker

Published

Permalink CVE-2026-27622

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 2 weeks ago
@LeSuisse ignored
2 packages
- haskellPackages.openexr-write
- openexrid-unstable
1 month, 2 weeks ago
@LeSuisse accepted 1 month, 2 weeks ago
@LeSuisse published on GitHub 1 month, 2 weeks ago

OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963 x_refsource_CONFIRM

Affected products

openexr

==>= 2.3.0, < 3.2.6
==>= 3.3.0, < 3.3.8
==>= 3.4.0, < 3.4.6

Matching in nixpkgs

pkgs.openexr

High dynamic-range (HDR) image file format

nixos-unstable 3.3.5
- nixpkgs-unstable 3.3.5
- nixos-unstable-small 3.3.5
nixos-25.11 3.3.5
- nixos-25.11-small 3.3.5
- nixpkgs-25.11-darwin 3.3.5

pkgs.openexr_2

High dynamic-range (HDR) image file format

nixos-unstable 2.5.10
- nixpkgs-unstable 2.5.10
- nixos-unstable-small 2.5.10
nixos-25.11 2.5.10
- nixos-25.11-small 2.5.10
- nixpkgs-25.11-darwin 2.5.10

Ignored packages (2)

pkgs.openexrid-unstable

OpenEXR files able to isolate any object of a CG image with a perfect antialiazing

nixos-unstable 2017-09-17
- nixpkgs-unstable 2017-09-17
- nixos-unstable-small 2017-09-17
nixos-25.11 2017-09-17
- nixos-25.11-small 2017-09-17
- nixpkgs-25.11-darwin 2017-09-17

pkgs.haskellPackages.openexr-write

Library for writing images in OpenEXR HDR file format

nixos-unstable 0.1.0.2
- nixpkgs-unstable 0.1.0.2
- nixos-unstable-small 0.1.0.2
nixos-25.11 0.1.0.2
- nixos-25.11-small 0.1.0.2
- nixpkgs-25.11-darwin 0.1.0.2

Package maintainers

@paperdigits Mica Semrick <mica@silentumbrella.com>

Upstream advisory: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963

Published

Permalink CVE-2026-26981

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 1 month, 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 3 weeks ago
@LeSuisse ignored
3 packages
- openexrid-unstable
- haskellPackages.openexr-write
- openexr_2
1 month, 3 weeks ago
@LeSuisse accepted 1 month, 3 weeks ago
@LeSuisse published on GitHub 1 month, 3 weeks ago

OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.6 and 3.4.0 through 3.4.4, a heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` function in `ImfContextInit.cpp` when parsing a malformed EXR file through a memory-mapped `IStream`. A signed integer subtraction produces a negative value that is implicitly converted to `size_t`, resulting in a massive length being passed to `memcpy`. Versions 3.3.7 and 3.4.5 contain a patch.

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q6vj-wxvf-5m8c x_refsource_CONFIRM
https://github.com/AcademySoftwareFoundation/openexr/commit/6bb2ddf1068573d073edf81270a015b38cc05cef x_refsource_MISC
https://github.com/AcademySoftwareFoundation/openexr/commit/d2be382758adc3e9ab83a3de35138ec28d93ebd8 x_refsource_MISC

Affected products

openexr

==>= 3.3.0, < 3.3.7
==>= 3.4.0, < 3.4.5

Matching in nixpkgs

pkgs.openexr

High dynamic-range (HDR) image file format

nixos-unstable 3.3.5
- nixpkgs-unstable 3.3.5
- nixos-unstable-small 3.3.5
nixos-25.11 3.3.5
- nixos-25.11-small 3.3.5
- nixpkgs-25.11-darwin 3.3.5

Ignored packages (3)

pkgs.openexr_2

High dynamic-range (HDR) image file format

nixos-unstable 2.5.10
- nixpkgs-unstable 2.5.10
- nixos-unstable-small 2.5.10
nixos-25.11 2.5.10
- nixos-25.11-small 2.5.10
- nixpkgs-25.11-darwin 2.5.10

pkgs.openexrid-unstable

OpenEXR files able to isolate any object of a CG image with a perfect antialiazing

nixos-unstable 2017-09-17
- nixpkgs-unstable 2017-09-17
- nixos-unstable-small 2017-09-17
nixos-25.11 2017-09-17
- nixos-25.11-small 2017-09-17
- nixpkgs-25.11-darwin 2017-09-17

pkgs.haskellPackages.openexr-write

Library for writing images in OpenEXR HDR file format

nixos-unstable 0.1.0.2
- nixpkgs-unstable 0.1.0.2
- nixos-unstable-small 0.1.0.2
nixos-25.11 0.1.0.2
- nixos-25.11-small 0.1.0.2
- nixpkgs-25.11-darwin 0.1.0.2

Package maintainers

@paperdigits Mica Semrick <mica@silentumbrella.com>

Upstream advisory: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q6vj-wxvf-5m8c
Upstream patch: https://github.com/AcademySoftwareFoundation/openexr/commit/6bb2ddf1068573d073edf81270a015b38cc05cef

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.openexr

pkgs.openexr_2

pkgs.openexrid-unstable

pkgs.haskellPackages.openexr-write

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.openexr

pkgs.openexr_2

pkgs.openexrid-unstable

pkgs.haskellPackages.openexr-write

Package maintainers