notes for v3.2.8

cary-ilm · cary-ilm · commit f8118548eb5e · 2026-04-15T09:03:10.000-07:00
Signed-off-by: Cary Phillips &lt;cary@ilm.com&gt;
diff --git a/CHANGES.md b/CHANGES.md
@@ -3,6 +3,7 @@
 
 # OpenEXR Release Notes
 
+* [Version 3.2.8](#version-328-april-17-2026) April 17, 2026
 * [Version 3.2.7](#version-327-april-3-2026) April 3, 2026
 * [Version 3.2.6](#version-326-february-26-2026) February 26, 2026
 * [Version 3.2.5](#version-325-november-4-2025) November 4, 2025
@@ -77,6 +78,18 @@
 * [Version 1.0.1](#version-101)
 * [Version 1.0](#version-10)
 
+## Version 3.2.8 (April 17, 2026)
+
+Patch release that addresses the following security vulnerabilities:
+
+* [CVE-2026-40244](https://www.cve.org/CVERecord?id=CVE-2026-40244) Integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)
+* [CVE-2026-40250](https://www.cve.org/CVERecord?id=CVE-2026-40250) Integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)
+
+### Merged Pull Requests
+
+* [2346](https://github.com/AcademySoftwareFoundation/openexr/pull/2346)
+Fix integer overflow in internal_dwa_compressor.h
+
 ## Version 3.2.7 (April 3, 2026)
 
 Patch release for v3.2 that addresses the following security vulnerabilities:
