ยซ Changelog History


OpenEXR v3.4.12 Release Notes

Release Date: 2026-05-25 // 24 days ago

  • ๐Ÿš€ Patch release that addresses several bugs and security vulnerabilities.

    • ๐Ÿ› Fix several minor memory leaks recovering from reading invalid files.
    • ๐Ÿ› The compressor API incorrectly identified HTJ2K and HTJ2K256 as lossy; they are lossles.
    • ๐Ÿ› Fix CMake AVX feature detection that caused DWA SIMD code to fail on certain architectures.
    • ๐Ÿš€ โš ๏ธ The WidenFilename utility function is marked as deprecated, to be removed in a future release.
    • ๐Ÿ–จ โœจ exrmetrics now print the on-disk size of the data portion of each part. Useful for determining compression impact on part data

    For the python module:

    • ๐Ÿ ๐Ÿ ๐Ÿ› Reject files where the dataWindows does not match the pixel array dimensions.
    • ๐Ÿ‘ ๐Ÿ โœจ Support NumPy float vector attributes
    • ๐Ÿ โœจ Reading now skips over invalid parts, returns the valid parts only.
    • ๐Ÿ ๐Ÿ“– Doc strings have proper indentation

    ๐Ÿš€ This release addresses the following security vulnerabilities:


Previous changes from v3.4.11

  • ๐Ÿš€ Patch release that addresses the following security vulnerabilities:

    • CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)

    • CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion

    • CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API

    • OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress

    • OSS-fuzz 505062709 Null-dereference READ in Imf_3_3::prefixFromLayerName

    ๐Ÿ— Build fixes:

    • ๐Ÿ›  Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC

    ๐Ÿ“š Also, some minor documentation updates:

    • ๐Ÿ”’ GitHub Security Advisories are the preferred way of reporting vulnerabilities, not email.
    • Some clarification around handling of UFT-8 of file paths