EUVD-2026-18058
GHSA-vc68-257w-m432
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.
Analysis
Heap memory disclosure in OpenEXR 3.4.0 through 3.4.7 allows remote attackers to extract sensitive information through decoded pixel data when processing malicious EXR image files. The vulnerability requires no authentication (PR:N) or user interaction (UI:N), triggering automatically during file parsing under default configurations. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running OpenEXR 3.4.0-3.4.7 and document their use cases and data exposure scope. Within 7 days: Implement input validation and file type restrictions to reject untrusted EXR files; consider sandboxing or air-gapping systems that must process EXR content from external sources. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today