Skip to main content

Openexr EUVDEUVD-2026-19347

| CVE-2026-34588 HIGH
Out-of-bounds Read (CWE-125)
2026-04-06 GitHub_M GHSA-588r-cr5c-w6hf
8.6
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 06, 2026 - 16:00 euvd
EUVD-2026-19347
Analysis Generated
Apr 06, 2026 - 16:00 vuln.today
CVE Published
Apr 06, 2026 - 15:31 nvd
HIGH 8.6

DescriptionCVE.org

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

AnalysisAI

Integer overflow in OpenEXR's PIZ wavelet decompression leads to out-of-bounds memory access when processing malicious EXR image files. Affects OpenEXR 3.1.0 through 3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8. Local attackers can trigger memory corruption through crafted EXR files without authentication (CVSS:4.0 AV:L/PR:N), achieving high confidentiality, integrity, and availability impact. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patches available in versions 3.2.7, 3.3.9, and 3.4.9.

Technical ContextAI

OpenEXR is the Academy Software Foundation's reference implementation for the EXR high-dynamic-range image format widely used in visual effects and animation pipelines. The vulnerability resides in internal_exr_undo_piz(), part of the PIZ wavelet-based compression codec. During decompression, the function calculates wavelet buffer offsets using signed 32-bit integer arithmetic (nx * ny * wcount). A maliciously crafted EXR file can supply dimension and channel parameters that cause this multiplication to exceed INT_MAX, wrapping to a negative or incorrect positive value. The corrupted pointer then causes subsequent wavelet decoding operations to read from and write to unintended memory locations. This maps to CWE-125 (Out-of-bounds Read) but also involves writes due to the in-place decoding design. The affected CPE (cpe:2.3:a:academysoftwarefoundation:openexr) covers all distributions of the library across multiple major version branches introduced starting with the 3.1.0 refactor.

RemediationAI

Upgrade to patched OpenEXR versions: 3.2.7 (for 3.2.x branch users), 3.3.9 (for 3.3.x users), or 3.4.9 (for 3.4.x users). Organizations should inventory all systems using OpenEXR libraries, including bundled dependencies in commercial applications (e.g., Adobe products, Foundry Nuke, Autodesk tools), and apply vendor-provided updates. For systems unable to upgrade immediately, implement strict input validation to reject EXR files from untrusted sources, run EXR processing in sandboxed environments with minimal privileges, and monitor for unexpected crashes or memory access violations. Review the GitHub Security Advisory at https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf for additional technical details and coordinate with application vendors who bundle OpenEXR to ensure downstream patches are released.

CVE-2018-18444 HIGH POC
8.8 Oct 17

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possib

CVE-2026-27622 HIGH POC
8.4 Mar 03

Out-of-bounds heap write in OpenEXR's CompositeDeepScanLine::readPixels lets a crafted multi-part deep-scanline EXR file

CVE-2017-12596 HIGH POC
7.8 Aug 07

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp du

CVE-2026-26981 MEDIUM POC
6.5 Feb 24

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper in

CVE-2021-3598 MEDIUM POC
5.5 Jul 06

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. Rated medium severity (CV

CVE-2020-16589 MEDIUM POC
5.5 Dec 09

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.

CVE-2020-16588 MEDIUM POC
5.5 Dec 09

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp

CVE-2020-16587 MEDIUM POC
5.5 Dec 09

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruct

CVE-2020-11765 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11764 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11763 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11762 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-19347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy