CVE-2026-34588
EUVD-2026-1934706.04.2026, 16:16
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| openexr | openexr | 3.1.0 ≤ 𝑥 < 3.2.7 |
| openexr | openexr | 3.3.0 ≤ 𝑥 < 3.3.9 |
| openexr | openexr | 3.4.0 ≤ 𝑥 < 3.4.9 |
𝑥
= Vulnerable software versions
Red Hat Enterprise Linux Releases
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| OpenEXR |
| ||
| OpenEXR-debuginfo |
| ||
| OpenEXR-devel |
| ||
| OpenEXR-libs |
| ||
| openexr |
| ||
| openexr-debuginfo |
| ||
| openexr-debugsource |
| ||
| openexr-devel |
| ||
| openexr-libs |
| ||
| openexr-libs-debuginfo |
|
Common Weakness Enumeration
- CWE-125 - Out-of-bounds ReadThe software reads data past the end, or before the beginning, of the intended buffer.
- CWE-190 - Integer Overflow or WraparoundThe software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
References