Another wave it seems: CVE-2021-3479 31.03.21 16:15 There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability. Fix: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c CVE-2021-3478 31.03.21 16:15 There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability. Fix (? as Red Hat analyst points out in https://bugzilla.redhat.com/show_bug.cgi?id=1939160#c3, it indeed looks uncertain): https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a CVE-2021-3477 31.03.21 16:15 There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability. Fix (? as Red Hat analyst points out in https://bugzilla.redhat.com/show_bug.cgi?id=1939159#c3, it indeed looks uncertain): https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1