Cary Phillips reports:
[OpenEXR v3.4.11 is a p]atch release that addresses the following security vulnerabilities:
- CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)
- CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion
- CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API
- OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress
- OSS-fuzz 505062709 Null-dereference READ in Imf_3_3::prefixFromLayerName