Skip to main content

Openexr CVE-2026-34545

| EUVDEUVD-2026-18062 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-04-01 GitHub_M
8.4
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.4.7
EUVD ID Assigned
Apr 01, 2026 - 21:15 euvd
EUVD-2026-18062
Analysis Generated
Apr 01, 2026 - 21:15 vuln.today
CVE Published
Apr 01, 2026 - 20:51 nvd
HIGH 8.4

DescriptionCVE.org

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.

AnalysisAI

Heap buffer overflow in OpenEXR 3.4.0 through 3.4.6 allows remote code execution when processing maliciously crafted EXR image files with HTJ2K compression and specific channel width configurations. The vulnerability enables controlled heap overwrites of 2-4 bytes per iteration beyond allocated buffer boundaries, exploitable through user interaction with weaponized .exr files. Attack vector is local (AV:L) requiring user action (UI:A) but no privileges (PR:N), with CVSS 8.4 severity. Vendor-released patch available in version 3.4.7. No public exploit identified at time of analysis, though the precise technical details in the security advisory lower exploitation complexity for capable adversaries.

Technical ContextAI

OpenEXR is the Academy Software Foundation's reference implementation of the EXR image format, widely used in visual effects and motion picture post-production workflows. The vulnerability (CWE-122: Heap-based Buffer Overflow) resides in the HTJ2K (High Throughput JPEG 2000) decompression pathway when processing images with channel widths of exactly 32768 pixels. The decoder fails to validate output buffer boundaries during decompression, allowing controllable out-of-bounds writes. The overflow primitive provides 2-byte writes per iteration in the primary exploit path, with an alternative 4-byte write path, repeating for each pixel beyond the overflow threshold. This level of write control transforms a simple memory corruption into a potential code execution primitive, as attackers can systematically overwrite heap metadata or adjacent objects. The CPE identifier cpe:2.3:a:academysoftwarefoundation:openexr confirms the vulnerability affects the core OpenEXR library across all platforms where the reference implementation is deployed.

RemediationAI

Vendor-released patch: OpenEXR version 3.4.7 addresses this vulnerability through boundary validation improvements in HTJ2K decompression routines, as documented in release https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.7 and commit 3827998f5c041d6a94c6af24bbb363daa669e4b3. Organizations should upgrade all OpenEXR installations to version 3.4.7 or later immediately. For environments unable to upgrade immediately, implement defense-in-depth controls: restrict processing of EXR files to trusted sources only, execute image decoding operations in sandboxed environments with minimal privileges, and deploy application-level input validation to reject files with suspicious characteristics (HTJ2K compression with channel widths near 32768). Update containerized applications and rebuild software bundles incorporating OpenEXR libraries. Verify downstream dependencies in media processing workflows, as third-party applications may bundle vulnerable versions. Consult vendor-specific advisories for integrated products using OpenEXR.

CVE-2018-18444 HIGH POC
8.8 Oct 17

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possib

CVE-2026-27622 HIGH POC
8.4 Mar 03

Out-of-bounds heap write in OpenEXR's CompositeDeepScanLine::readPixels lets a crafted multi-part deep-scanline EXR file

CVE-2017-12596 HIGH POC
7.8 Aug 07

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp du

CVE-2026-26981 MEDIUM POC
6.5 Feb 24

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper in

CVE-2021-3598 MEDIUM POC
5.5 Jul 06

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. Rated medium severity (CV

CVE-2020-16589 MEDIUM POC
5.5 Dec 09

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.

CVE-2020-16588 MEDIUM POC
5.5 Dec 09

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp

CVE-2020-16587 MEDIUM POC
5.5 Dec 09

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruct

CVE-2020-11765 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11764 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11763 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11762 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-34545 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy