Integer Overflow or Wraparound Affecting openexr package, versions <3.3.11-r0


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.39% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE322-OPENEXR-17431906
  • published24 Jun 2026
  • disclosed7 May 2026

Introduced: 7 May 2026

CVE-2026-42217  (opens in a new tab)
CWE-190  (opens in a new tab)

How to fix?

Upgrade Alpine:3.22 openexr to version 3.3.11-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream openexr package and not the openexr package as distributed by Alpine. See How to fix? for Alpine:3.22 relevant fixed versions and status.

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable-length integer from untrusted EXR input without bounding the shift count. After enough continuation bytes, the code executes a left shift by 70 on a 64-bit value, which is undefined behavior. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

CVSS Base Scores

version 3.1