What is the CVSS score of CVE-2026-34379?

CVE-2026-34379 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H. EPSS exploitation probability: 0.0%.

Which versions of Red Hat are affected by CVE-2026-34379?

OpenEXR versions 3.2.0-3.4.8 contain a memory alignment vulnerability in the DWA decoder that causes application crashes on ARM and RISC-V systems and may enable code execution on x86 platforms when…. A patch is available.

Red Hat CVE-2026-34379

EUVD-2026-19305 HIGH

Incorrect Type Conversion or Cast (CWE-704)

2026-04-06 GitHub_M

Denial Of Service Red Hat Suse

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:06 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.4.9,3.2.7,3.3.9

EUVD ID Assigned

Apr 06, 2026 - 15:30 euvd

EUVD-2026-19305

Analysis Generated

Apr 06, 2026 - 15:30 vuln.today

CVE Published

Apr 06, 2026 - 15:21 nvd

HIGH 7.1

DescriptionNVD

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

AnalysisAI

Unaligned memory write in OpenEXR DWA decoder causes immediate crashes on ARM/RISC-V architectures and enables potential exploitation on x86 systems via compiler optimization abuse. Affects OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8 when processing DWA/DWAB-compressed EXR files with FLOAT-type channels. …

RemediationAI

Within 24 hours: inventory all systems running OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, or 3.4.0-3.4.8; restrict access to EXR file processing from untrusted sources. Within 7 days: test and deploy vendor-released patches to all affected OpenEXR installations (verify with vendor advisory for exact patched versions). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory