Which versions of Red Hat are affected by EUVD-2026-18060?

OpenEXR versions 3.4.0 through 3.4.7 contain an out-of-bounds heap write vulnerability that allows local attackers to crash applications or corrupt memory through malicious image files, affecting any…. A patch is available.

Red Hat EUVD-2026-18060

Q: What is the CVSS score of EUVD-2026-18060?

EUVD-2026-18060 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-34544 HIGH

Integer Overflow or Wraparound (CWE-190)

2026-04-01 GitHub_M

GHSA-h762-rhv3-h25v

Buffer Overflow Integer Overflow Red Hat Suse

8.4

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch released

Apr 04, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 01, 2026 - 21:15 euvd

EUVD-2026-18060

Analysis Generated

Apr 01, 2026 - 21:15 vuln.today

CVE Published

Apr 01, 2026 - 20:55 nvd

HIGH 8.4

DescriptionNVD

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that decodes it via exr_decoding_run(). Consequences range from immediate crash (most likely) to corruption of adjacent heap allocations (layout-dependent). This issue has been patched in version 3.4.8.

AnalysisAI

Out-of-bounds heap write in OpenEXR 3.4.0-3.4.7 allows local attackers to crash applications or corrupt memory when processing malicious B44/B44A compressed EXR files. Attack requires user interaction to open a crafted image file. …

RemediationAI

Within 24 hours: inventory all systems and applications using OpenEXR 3.4.0-3.4.7 and disable EXR file ingestion or restrict to trusted sources only. Within 7 days: upgrade to OpenEXR 3.4.8 or later where available, or implement strict file validation and sandboxing for EXR processing. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

EUVD-2026-18060 vulnerability details – vuln.today

Back

Red Hat EUVD-2026-18060

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

Red Hat EUVD-2026-18060

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code