There are 3 open security issues in bullseye.
1 important issue:
tinyexr 0.9.5 has a heap-based buffer over-read via tinyexr::ReadChannelInfo in tinyexr.h.
2 issues left for the package maintainer to handle:
tinyexr 0.9.5 has a segmentation fault in the wav2Decode function.
In tinyexr 1.0.1, there is a heap-based buffer over-read in tinyexr::DecodePixelData.
You can find information about how to handle these issues in the security team's documentation.