Skip to main content

Openexr EUVDEUVD-2026-19305

| CVE-2026-34379 HIGH
Incorrect Type Conversion or Cast (CWE-704)
2026-04-06 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:06 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.4.9,3.2.7,3.3.9
EUVD ID Assigned
Apr 06, 2026 - 15:30 euvd
EUVD-2026-19305
Analysis Generated
Apr 06, 2026 - 15:30 vuln.today
CVE Published
Apr 06, 2026 - 15:21 nvd
HIGH 7.1

DescriptionCVE.org

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

AnalysisAI

Unaligned memory write in OpenEXR DWA decoder causes immediate crashes on ARM/RISC-V architectures and enables potential exploitation on x86 systems via compiler optimization abuse. Affects OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8 when processing DWA/DWAB-compressed EXR files with FLOAT-type channels. Remote attackers can trigger this by convincing users to open malicious EXR files (CVSS 7.1, AV:N/PR:N/UI:R). No public exploit identified at time of analysis, though the technical details are fully disclosed in the GitHub security advisory.

Technical ContextAI

OpenEXR is the Academy Software Foundation's reference implementation for the EXR high-dynamic-range image format, widely used in visual effects and motion picture production workflows. The vulnerability resides in the LossyDctDecoder_execute() function within the DWA (DreamWorks Animation) compression codec implementation. During decompression, the decoder performs in-place type conversion from 16-bit HALF floats to 32-bit FLOAT values by casting uint8_t row buffer pointers directly to float pointers without verifying 4-byte alignment. This violates CWE-704 (Incorrect Type Conversion or Cast) and triggers undefined behavior under ISO C standards. On strictly-aligned architectures (ARM, RISC-V, SPARC), unaligned memory access causes immediate SIGBUS crashes. On x86/x64, the hardware tolerates unaligned access but compilers may generate optimized code assuming alignment guarantees, potentially leading to memory corruption or arbitrary write primitives when optimization flags enable vectorization or assume aligned load/store instructions.

RemediationAI

Upgrade OpenEXR to patched versions immediately: version 3.2.7 for the 3.2.x branch, version 3.3.9 for the 3.3.x branch, or version 3.4.9 for the 3.4.x branch. The vendor-released patches correct the alignment issue by ensuring proper memory alignment before type conversion or by using memcpy-based approaches that avoid direct pointer casting. Organizations unable to patch immediately should implement input validation to reject DWA/DWAB-compressed EXR files from untrusted sources, though this significantly limits functionality. For air-gapped or embedded systems, consider disabling DWA codec support if the build system permits conditional compilation. Consult the GitHub security advisory at https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vqhq-5p24 for additional context and patch commits. Validate the fix by testing with known-good EXR files containing FLOAT channels compressed with DWA on target architectures, particularly ARM and RISC-V systems where the crash is reproducible.

CVE-2018-18444 HIGH POC
8.8 Oct 17

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possib

CVE-2026-27622 HIGH POC
8.4 Mar 03

Out-of-bounds heap write in OpenEXR's CompositeDeepScanLine::readPixels lets a crafted multi-part deep-scanline EXR file

CVE-2017-12596 HIGH POC
7.8 Aug 07

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp du

CVE-2026-26981 MEDIUM POC
6.5 Feb 24

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper in

CVE-2021-3598 MEDIUM POC
5.5 Jul 06

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. Rated medium severity (CV

CVE-2020-16589 MEDIUM POC
5.5 Dec 09

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.

CVE-2020-16588 MEDIUM POC
5.5 Dec 09

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp

CVE-2020-16587 MEDIUM POC
5.5 Dec 09

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruct

CVE-2020-11765 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11764 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11763 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11762 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-19305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy