ALAS2023-2026-1713

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1713
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26

Severity: Important

References: CVE-2026-41142 CVE-2026-42216 CVE-2026-42217
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m25w-72cj-q6mg
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/2367
NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/0592ee539f33c122c90f09238579b902d838afb4 (CVE-2026-41142)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.

NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4 (CVE-2026-42216)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable-length integer from untrusted EXR input without bounding the shift count. After enough continuation bytes, the code executes a left shift by 70 on a 64-bit value, which is undefined behavior. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.--- From NIST (CVE-2026-42217)

Affected Packages:

openexr

Issue Correction:
Run dnf update openexr --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1713 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    openexr-libs-debuginfo-3.1.5-1.amzn2023.0.11.aarch64
    openexr-3.1.5-1.amzn2023.0.11.aarch64
    openexr-libs-3.1.5-1.amzn2023.0.11.aarch64
    openexr-debuginfo-3.1.5-1.amzn2023.0.11.aarch64
    openexr-devel-3.1.5-1.amzn2023.0.11.aarch64
    openexr-debugsource-3.1.5-1.amzn2023.0.11.aarch64

src:
    openexr-3.1.5-1.amzn2023.0.11.src

x86_64:
    openexr-libs-debuginfo-3.1.5-1.amzn2023.0.11.x86_64
    openexr-debugsource-3.1.5-1.amzn2023.0.11.x86_64
    openexr-debuginfo-3.1.5-1.amzn2023.0.11.x86_64
    openexr-devel-3.1.5-1.amzn2023.0.11.x86_64
    openexr-3.1.5-1.amzn2023.0.11.x86_64
    openexr-libs-3.1.5-1.amzn2023.0.11.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-41142, CVE-2026-42216, CVE-2026-42217

Mitre: CVE-2026-41142, CVE-2026-42216, CVE-2026-42217