This update for openexr fixes the following issues
- CVE-2026-41142: integer overflow in `ImageChannel: resize` can lead to a heap out-of-bounds write via OpenEXRUtil
public API (bsc#1264356).
- CVE-2026-42216: missing checks in `IDManifest: init()` can lead to out-of-bounds read during prefix expansion
(bsc#1264354).
- CVE-2026-42217: missing bounds check for shift counter in `readVariableLengthInteger` can lead to shift exponent
overflow and cause undefined behavior (bsc#1264353).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-750=1
- openSUSE Leap 16.0:
libIex-3_2-31-3.2.2-160000.8.1
libIex-3_2-31-x86-64-v3-3.2.2-160000.8.1
libIlmThread-3_2-31-3.2.2-160000.8.1
libIlmThread-3_2-31-x86-64-v3-3.2.2-160000.8.1
libOpenEXR-3_2-31-3.2.2-160000.8.1
libOpenEXR-3_2-31-x86-64-v3-3.2.2-160000.8.1
libOpenEXRCore-3_2-31-3.2.2-160000.8.1
libOpenEXRCore-3_2-31-x86-64-v3-3.2.2-160000.8.1
libOpenEXRUtil-3_2-31-3.2.2-160000.8.1
libOpenEXRUtil-3_2-31-x86-64-v3-3.2.2-160000.8.1
openexr-3.2.2-160000.8.1
openexr-devel-3.2.2-160000.8.1
openexr-doc-3.2.2-160000.8.1
* bsc#1264353
* bsc#1264354
* bsc#1264356
References:
* https://www.suse.com/security/cve/CVE-2026-41142.html
* https://www.suse.com/security/cve/CVE-2026-42216.html
* https://www.suse.com/security/cve/CVE-2026-42217.html
Get the latest Linux and open source security news straight to your inbox.