v3.4.11

Patch release that addresses the following security vulnerabilities:

• CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)

• CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion

• CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API

• OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress

• OSS-fuzz 505062709 Null-dereference READ in Imf_3_3::prefixFromLayerName

Build fixes:

• Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC

Also, some minor documentation updates:

• GitHub Security Advisories are the preferred way of reporting vulnerabilities, not email.
• Some clarification around handling of UFT-8 of file paths

v3.3.11

Patch release for 3.3 that addresses the following security vulnerabilities:

• CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)

• CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion

• CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API

• OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress

v3.2.9

Patch release for 3.2 that addresses the following security vulnerabilities:

• CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)

• CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion

• CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API

• OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress

v3.4.10

Patch release that addresses the following security vulnerabilities:

• CVE-2026-39886 HTJ2K Signed Integer Overflow in ht_undo_impl()
• CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
• CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

v3.3.10

Patch release that addresses the following security vulnerabilities:

• CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
• CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

v3.2.8

Patch release that addresses the following security vulnerabilities:

• CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
• CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

v3.4.9

Patch release that addresses several security vulnerabilities.

This release also fixes a build issue where the library symlinks would get installed in the incorrect location when overriding the cached install prefix path.

This release addresses the following CVEs:

• CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
• CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
• CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
• CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
• CVE-2026-34378 Signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x

v3.3.9

Patch release for v3.3 that addresses the following security vulnerabilities:

• CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
• CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
• CVE-2026-34544 integer overflow to OOB write in uncompress_b44_impl()
• CVE-2026-34543 Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
• CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
• CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
• CVE-2026-34378 Signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x

v3.2.7

Patch release for v3.2 that addresses the following security vulnerabilities:

• CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
• CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
• CVE-2026-34544 integer overflow to OOB write in uncompress_b44_impl()
• CVE-2026-34543 Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
• CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
• CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)

v3.4.8

Patch release with several bug/build fixes:

• Fix an integer-overflow bug reading malformed files compressed with B44A/B44B
• Fix a buffer-overrun bug reading malformed files compressed with PXR24
• Fix a bug compressing half data with ZIPS/ZIP data when the compressed size equals packed size
• Single part files no longer get assigned a part name when writing via the python module
• Fix a build failure on FreeBSD involving threads.h

This also eliminates several compiler warnings, particularly about the deprecated isOptimizationEnabled() API and deprecates standard attributes.