Skip to main content

Openexr EUVDEUVD-2026-19348

| CVE-2026-34589 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-04-06 GitHub_M GHSA-p8xc-w3q4-h64x
High
Disputed · 8.4 Vendor: GitHub_M
Share

Severity by source

Sources disagree (Low–High)
Vendor (GitHub_M) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.1 LOW
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Red Hat
8.8 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 06, 2026 - 16:00 euvd
EUVD-2026-19348
Analysis Generated
Apr 06, 2026 - 16:00 vuln.today
CVE Published
Apr 06, 2026 - 15:33 nvd
HIGH 8.4

DescriptionCVE.org

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

AnalysisAI

Integer overflow in OpenEXR's DWA lossy decoder (versions 3.2.0-3.2.6, 3.3.0-3.3.8, 3.4.0-3.4.8) enables local attackers to trigger out-of-bounds memory writes when processing maliciously crafted EXR image files. The vulnerability stems from signed 32-bit arithmetic overflow in block pointer calculations for large image widths, causing decoder operations to write outside allocated memory buffers. User interaction is required (victim must open a malicious EXR file), but no authentication is needed. No public exploit identified at time of analysis, though the technical details in the GitHub security advisory provide sufficient information for proof-of-concept development.

Technical ContextAI

OpenEXR is the Academy Software Foundation's reference implementation for the EXR image format, widely used in visual effects and motion picture post-production workflows. The vulnerability resides in the DWA (DreamWorks Animation) lossy compression codec's decoder implementation. When decompressing DWA-encoded image data, the decoder allocates temporary per-component block pointers using signed 32-bit integer arithmetic to calculate memory offsets. For images with sufficiently large width values, this calculation exceeds the maximum positive value of a signed 32-bit integer (2,147,483,647), causing integer overflow (CWE-190). The overflowed result wraps to a negative or incorrect value, producing a pointer that falls outside the bounds of the allocated rowBlock memory structure. Subsequent decoder write operations using this corrupted pointer result in out-of-bounds memory access, effectively creating a buffer overflow condition. The affected component is part of OpenEXR's core library (cpe:2.3:a:academysoftwarefoundation:openexr), which is integrated into numerous image processing applications, 3D rendering tools, and media pipelines.

RemediationAI

Organizations should immediately upgrade OpenEXR to patched versions: 3.2.7 or later for the 3.2.x branch, 3.3.9 or later for the 3.3.x branch, or 3.4.9 or later for the 3.4.x branch. These releases contain fixes that properly handle signed 32-bit arithmetic in the DWA decoder to prevent integer overflow conditions. The vendor security advisory at https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x provides complete version-specific remediation guidance. For environments where immediate patching is not feasible, implement compensating controls such as restricting processing of EXR files to trusted sources only, deploying application sandboxing or containerization to limit potential exploit impact, and implementing file validation checks before processing. Organizations should inventory all applications and systems using OpenEXR libraries, prioritizing updates for internet-facing services and systems processing untrusted image content. After patching, verify the OpenEXR library version through package management tools or application dependency checks to confirm successful remediation.

CVE-2018-18444 HIGH POC
8.8 Oct 17

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write, leading to an assertion failure or possib

CVE-2026-27622 HIGH POC
8.4 Mar 03

Out-of-bounds heap write in OpenEXR's CompositeDeepScanLine::readPixels lets a crafted multi-part deep-scanline EXR file

CVE-2017-12596 HIGH POC
7.8 Aug 07

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp du

CVE-2026-26981 MEDIUM POC
6.5 Feb 24

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper in

CVE-2021-3598 MEDIUM POC
5.5 Jul 06

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. Rated medium severity (CV

CVE-2020-16589 MEDIUM POC
5.5 Dec 09

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.

CVE-2020-16588 MEDIUM POC
5.5 Dec 09

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp

CVE-2020-16587 MEDIUM POC
5.5 Dec 09

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruct

CVE-2020-11765 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11764 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11763 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

CVE-2020-11762 MEDIUM POC
5.5 Apr 14

An issue was discovered in OpenEXR before 2.4.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticati

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-19348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy