This release addresses the following security vulnerabilities:

• CVE-2026-55373 OpenEXRUtil SampleCountChannel endEdit() can loop forever on UINT_MAX sample counts
• CVE-2026-55059 OpenEXRUtil SampleCountChannel row setter heap out-of-bounds write
• CVE-2026-54920 Integer Overflow and Use of Uninitialized Pointer leading to Invalid Delete in OpenEXRUtil Image Resize

Patch release for 3.2 addressing security issues

This release addresses the following security vulnerabilities:

• CVE-2026-55373 OpenEXRUtil SampleCountChannel endEdit() can loop forever on UINT_MAX sample counts
• CVE-2026-55059 OpenEXRUtil SampleCountChannel row setter heap out-of-bounds write
• CVE-2026-54920 Integer Overflow and Use of Uninitialized Pointer leading to Invalid Delete in OpenEXRUtil Image Resize

Patch release that addresses several bugs and security
vulnerabilities.

• 🐛 Fix a regression introduced in v3.4.11 in decoding of DWAA compression
• 🐛 Fix to handling deep images and very large images with the OpenEXRUtil library
• 🐛 Fix initiliazation issue in B44A decoding
• 🐛 Validate HTJ2K chunk header length before decode
• 🛠️ Fix when building statically and using the vendored OpenJPH library

For the python module:

• 🐍 ✨ Support NumPy scalar values Box2i and V2f tuple bindings

This release addresses the following security vulnerabilities:

• CVE-2026-55373 OpenEXRUtil SampleCountChannel endEdit() can loop forever on UINT_MAX sample counts
• CVE-2026-55371 OpenEXRCore exr_attr_set_bytes() accepts NULL type_hint with positive hint_length
• CVE-2026-55059 OpenEXRUtil SampleCountChannel row setter heap out-of-bounds write
• CVE-2026-54920 Integer Overflow and Use of Uninitialized Pointer leading to Invalid Delete in OpenEXRUtil Image Resize
• CVE-2026-53532 Unhandled assert abort in HTJ2K decoder via crafted QCD marker (DoS)

Patch release that addresses several bugs and security vulnerabilities.

• 🐛 Fix several minor memory leaks recovering from reading invalid files.
• 🐛 The compressor API incorrectly identified HTJ2K and HTJ2K256 as lossy; they are lossles.
• 🐛 Fix CMake AVX feature detection that caused DWA SIMD code to fail on certain architectures.
• ⚠️ The WidenFilename utility function is marked as deprecated, to be removed in a future release.
• ✨ exrmetrics now print the on-disk size of the data portion of each part. Useful for determining compression impact on part data

For the python module:

• 🐍 🐛 Reject files where the dataWindows does not match the pixel array dimensions.
• 🐍 ✨ Support NumPy float vector attributes
• 🐍 ✨ Reading now skips over invalid parts, returns the valid parts only.
• 🐍 📖 Doc strings have proper indentation

This release addresses the following security vulnerabilities:

• CVE-2026-45696 OpenEXR ht_undo_impl heap-buffer-overflow READ via codestream/channel width mismatch in HTJ2K decode
• CVE-2026-44663 Integer overflow in HTJ2K decoder ( ht_undo_impl ) leading to heap-buffer-overflow
• OSS-Fuzz 512895184 Null-dereference WRITE in Imf_4_0::TileProcess::run_decode
• OSS-fuzz 512314697 Direct-leak in internal_exr_add_part
• OSS-fuzz 508362159 Heap-buffer-overflow in DwaCompressor_uncompress
• OSS-fuzz 507413960 Heap-buffer-overflow in generic_unpack

Patch release that addresses the following security vulnerabilities:

• CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)

• CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion

• CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API

• OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress

• OSS-fuzz 505062709 Null-dereference READ in Imf_3_3::prefixFromLayerName

Build fixes:

• Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC

Also, some minor documentation updates:

• GitHub Security Advisories are the preferred way of reporting vulnerabilities, not email.
• Some clarification around handling of UFT-8 of file paths

Patch release for 3.3 that addresses the following security vulnerabilities:

• CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)

• CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion

• CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API

• OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress

Patch release for 3.2 that addresses the following security vulnerabilities:

• CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)

• CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion

• CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API

• OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress

Patch release that addresses the following security vulnerabilities:

• CVE-2026-39886 HTJ2K Signed Integer Overflow in ht_undo_impl()
• CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
• CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

Patch release that addresses the following security vulnerabilities:

• CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
• CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

Patch release that addresses the following security vulnerabilities:

• CVE-2026-40244 Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
• CVE-2026-40250 Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)