Skip to main content

Red Hat CVE-2026-34380

| EUVDEUVD-2026-19307 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-04-06 GitHub_M
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.4.9,3.2.7,3.3.9
EUVD ID Assigned
Apr 06, 2026 - 15:30 euvd
EUVD-2026-19307
Analysis Generated
Apr 06, 2026 - 15:30 vuln.today
CVE Published
Apr 06, 2026 - 15:22 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

AnalysisAI

Signed integer overflow in OpenEXR's undo_pxr24_impl() function allows unauthenticated remote attackers to bypass buffer bounds checks and trigger heap buffer overflow during EXR file decoding, potentially causing denial of service or limited data corruption when processing maliciously crafted EXR files. The vulnerability affects OpenEXR versions 3.2.0 through 3.2.6, 3.3.0 through 3.3.8, and 3.4.0 through 3.4.8. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

OpenEXR is the motion picture industry standard for high-dynamic-range image storage. The vulnerability resides in the PXR24 pixel format decoder (internal_pxr24.c, line 377), specifically in the undo_pxr24_impl() function which handles decompression of PXR24-encoded pixel data. The root cause is a signed integer overflow in the expression (uint64_t)(w * 3), where the multiplication w * 3 is computed as a signed 32-bit integer before casting to unsigned 64-bit. According to the C standard, this constitutes undefined behavior. When w contains large values, two's-complement wraparound commonly occurs on typical compilers (clang, gcc). For specific w values, the wrapped result becomes a small positive integer, allowing a subsequent buffer bounds check to pass incorrectly. Once the bounds check is bypassed, the decoding loop writes pixel data beyond the allocated output buffer, causing heap overflow. The vulnerability is classified under CWE-190 (Integer Overflow or Wraparound), which is the root cause of the subsequent buffer overflow condition.

RemediationAI

Upgrade OpenEXR to version 3.2.7, 3.3.9, or 3.4.9 depending on the currently deployed release line. Users on 3.2.x should update to 3.2.7, those on 3.3.x to 3.3.9, and those on 3.4.x to 3.4.9. These patched versions correct the signed integer overflow by ensuring the multiplication is performed at the correct integer width before the bounds check. No workarounds are documented; patching is the primary remediation. For detailed guidance and package availability, consult the official Academy Software Foundation security advisory at https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-34380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy