Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a signed integer overflow in generic_unpack(). By setting dataWindow.min.x to a large negative value, OpenEXRCore computes an enormous image width, which is later used in a signed integer multiplication that overflows, causing the process to terminate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9.
Published: 2026-04-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (process crash via SIGILL)
Action: Immediate Patch
AI Analysis

Impact

A signed integer overflow in OpenEXR’s generic_unpack() occurs when a crafted EXR file sets the dataWindow.min.x field to a large negative value, causing the library to compute an excessively large image width. The overflow propagates to a signed integer multiplication that triggers a SIGILL, terminating the process. This weakness is classified as CWE-190 and results in a denial‑of‑service condition for any application that loads the malformed file.

Affected Systems

The vulnerability affects the Academy Software Foundation’s OpenEXR product in the 3.4.0 through 3.4.8 releases. Anyone using these firmware versions in image processing or media pipelines is exposed, including movie‑producing applications that rely on OpenEXR for HDR image storage.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation and the vulnerability is not listed in CISA’s KEV catalog. Exploitation would require an attacker to successfully deliver a malicious EXR file to an application that processes it, which is plausible in scenarios involving user‑supplied media but is not considered a widespread attack vector at present. The impact remains confined to a crash rather than code execution.

Generated by OpenCVE AI on April 7, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenEXR to version 3.4.9 or later to apply the vendor fix.
  • If an upgrade is not immediately possible, do not allow untrusted EXR files to be processed by applications that depend on OpenEXR.
  • Monitor the application for unexpected SIGILL crashes that may indicate exploitation attempts.
  • Verify that the updated library is the one in use by checking the version number at runtime or consulting the vendor’s release notes.

Generated by OpenCVE AI on April 7, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a signed integer overflow in generic_unpack(). By setting dataWindow.min.x to a large negative value, OpenEXRCore computes an enormous image width, which is later used in a signed integer multiplication that overflows, causing the process to terminate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9.
Title OpenEXR has a signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T03:07:17.341Z

Reserved: 2026-03-27T13:43:14.370Z

Link: CVE-2026-34378

cve-icon Vulnrichment

Updated: 2026-04-06T15:33:03.523Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T16:16:35.057

Modified: 2026-04-07T19:05:27.463

Link: CVE-2026-34378

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-06T15:19:34Z

Links: CVE-2026-34378 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:47Z

Weaknesses