CVE-2026-34544

EUVD-2026-18060
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that decodes it via exr_decoding_run(). Consequences range from immediate crash (most likely) to corruption of adjacent heap allocations (layout-dependent). This issue has been patched in version 3.4.8.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Affected Products (NVD)
VendorProductVersion
openexropenexr
3.2.0 ≤
𝑥
< 3.2.7
openexropenexr
3.3.0 ≤
𝑥
< 3.3.9
openexropenexr
3.4.0 ≤
𝑥
< 3.4.8
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
OpenEXR
Amazon Linux 2
0:1.7.1-8.amzn2.0.5
fixed
OpenEXR-debuginfo
Amazon Linux 2
0:1.7.1-8.amzn2.0.5
fixed
OpenEXR-devel
Amazon Linux 2
0:1.7.1-8.amzn2.0.5
fixed
OpenEXR-libs
Amazon Linux 2
0:1.7.1-8.amzn2.0.5
fixed
openexr
Amazon Linux 2023
0:3.1.5-1.amzn2023.0.8
fixed
openexr-debuginfo
Amazon Linux 2023
0:3.1.5-1.amzn2023.0.8
fixed
openexr-debugsource
Amazon Linux 2023
0:3.1.5-1.amzn2023.0.8
fixed
openexr-devel
Amazon Linux 2023
0:3.1.5-1.amzn2023.0.8
fixed
openexr-libs
Amazon Linux 2023
0:3.1.5-1.amzn2023.0.8
fixed
openexr-libs-debuginfo
Amazon Linux 2023
0:3.1.5-1.amzn2023.0.8
fixed