Skip to main content

Red Hat CVE-2026-34545

| EUVD-2026-18062 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-04-01 GitHub_M
RCE Buffer Overflow Heap Overflow Red Hat Suse
8.4
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.4.7
EUVD ID Assigned
Apr 01, 2026 - 21:15 euvd
EUVD-2026-18062
Analysis Generated
Apr 01, 2026 - 21:15 vuln.today
CVE Published
Apr 01, 2026 - 20:51 nvd
HIGH 8.4

DescriptionNVD

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.

AnalysisAI

Heap buffer overflow in OpenEXR 3.4.0 through 3.4.6 allows remote code execution when processing maliciously crafted EXR image files with HTJ2K compression and specific channel width configurations. The vulnerability enables controlled heap overwrites of 2-4 bytes per iteration beyond allocated buffer boundaries, exploitable through user interaction with weaponized .exr files. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all systems running OpenEXR 3.4.0 through 3.4.6, including embedded instances in applications like Blender, Maya, or custom image processing tools. Within 7 days: Upgrade OpenEXR to version 3.4.7 or later on all identified systems, and update any dependent applications that bundle OpenEXR. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-34545 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy