Changelog History
Page 2
-
v3.4.2 Changes
October 16, 2025๐ Patch release that fixes a Windows build issue introduced in v3.4.1.
๐ This version also bumps the auto-fetched Imath version to v3.2.2, which resolves a build problem with newer versions of cmake, involving duplicate library aliases.
No change in functionality.
-
v3.4.1 Changes
October 08, 2025๐ Patch release that fixes a build issue: OpenJPH headers are now
included from the openjph folder, as required by OpenJPH 0.23+.No change in functionality.
-
v3.4.0 Changes
September 05, 2025OpenEXR v3.4 introduces a new, additional compression option to the OpenEXR file format for lossless compression with High Throughput JPEG-2000 (HTJ2K) encoding:
A new HTJ2K compressor uses the High-Throughput (HT) block coder. It supports the full range of OpenEXR features, including 16-bit and 32-bit floating-point image channels, both scanline and tiled.
๐ The HT block coder is standardized in Rec. ITU-T T.814 and ISO/IEC 15444-15. It is royalty-free , widely used in cinema and distribution servicing, and implemented in both commercial and open-source toolkits.
โ In experiments, we've found that HTJ2K produces smaller files, and depending on the nature of the image data, is one of the fastest compression types available in OpenEXR.
๐ Integration with OpenEXR uses the OpenJPH open-source library. For ease in managing the dependency, the OpenEXR CMake configuration supports automatically fetching and building
OpenJPHinternally , or linking against an external installation.๐ OpenEXR supports two new compression types with distinct space/time trade-offs:
All existing OpenEXR compression options remain unchanged. This new feature simply extends the range of compression types available.
โก๏ธ Software compiled with OpenEXR v3.4 will be able to read HTJ2K compressed OpenEXRs without any code changes. Software that writes files may automatically support the new type, but may need a small update to make the new type available as a user option.
โ ๏ธ This is a backwards-compatible extension to the OpenEXR file format. Files written with OpenEXR v3.4 will be readable by applications built against previous releases, unless they use the new
htj2k32orhtj2k256compression options.โ ๏ธ This feature was first introduced for evaluation in February, 2025 via the
htj2k-betabranch with a single 256 scanlines/chunk compression option, with the 32-scanline option added more recently. Application software written during this evaluation period will need to changeIMF_HTJ2K_COMPRESSIONtoIMF_HTJ2K256_COMPRESSION, although files written with the earlier evaluation version should still read properly.
Other New Features:
๐ โจ New
colorInteropIDstandard attribute๐ โจ New
bytesattribute type๐ง TBB as a global thread provider
๐ง Vendored
libdeflate
๐ Bug fixes:
- ๐ Using openexr via cmake
add_subdirectorynow works properly.
๐ Changes to the OpenEXR Python module:
- ๐ ๐ The Python module now allows an empty part name for a single-part file
- ๐ ๐ The
header_onlyoption for Python module'sOpenEXR.Filenow works properly. - โ ๐ ๐ฆ โ ๏ธ
pypidistributions now add support for Python 3.13 and drop support for Python 3.7.
-
v3.3.11 Changes
April 29, 2026๐ Patch release for 3.3 that addresses the following security vulnerabilities:
CVE-2026-42217 Shift exponent overflow in
readVariableLengthInteger()(ImfIDManifest.cpp)CVE-2026-42216 Out-of-bounds read in
IDManifest::init()during prefix expansionCVE-2026-41142 Integer overflow in
ImageChannel::resizeleads to heap OOB write via OpenEXRUtil public APIOSS-fuzz 504280155 Heap-buffer-overflow in
DwaCompressor_uncompress
-
v3.3.10 Changes
April 17, 2026๐ Patch release that addresses the following security vulnerabilities:
- CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
- CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)
-
v3.3.9 Changes
April 03, 2026๐ Patch release for v3.3 that addresses the following security vulnerabilities:
- CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
- CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
- CVE-2026-34544 integer overflow to OOB write in uncompress_b44_impl()
- CVE-2026-34543 Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
- CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
- CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
- ๐ CVE-2026-34378 Signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x
-
v3.3.8 Changes
March 01, 2026๐ Patch release that prevents an integer overflow when using the
CompositeDeepScanLineAPI to combine multiple deep parts. -
v3.3.7 Changes
February 20, 2026๐ Patch release that fixes an incorrect size check in
istream_nonparallel_readthat could lead to a buffer overflow on
invalid input data. -
v3.3.6 Changes
November 05, 2025๐ Patch release that addresses several bugs, primarily involving properly rejecting corrupt input data.
Specifically:
- Buffer overflow in PyOpenEXR_old's
channels()andchannel()in legacy python, reported by Joshua Rogers (GitHub: MegaManSec). - ๐ Use after free in PyObject_StealAttrString in legacy python, reported by Joshua Rogers (GitHub: MegaManSec).
- ๐ Use of Uninitialized Memory in openexr, reported by Aldo Ristori (GitHub: Kaldreic).
- Heap-based Buffer Overflow Remote Code Execution Vulnerability, reported by Trend Micro Zero Day Initiative.
Full changelog: v3.3.5..v3.3.6
- Buffer overflow in PyOpenEXR_old's
-
v3.3.5 Changes
July 26, 2025๐ Patch release with a couple bug/performance fixes:
- ๐ Fix for DeepScanlineInputFile read memory leak
- ๐ OpenEXRCore Deep pixel unpacking optimisation