Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Published: 2026-04-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

OpenEXR interprets DWA or DWAB compressed EXR files as part of the reference implementation for the motion‑picture industry's image format. In versions 3.2.0 through 3.2.6, 3.3.8 and 3.4.8 the function that decodes these compressed channels performs an in‑place conversion from HALF to FLOAT. The code incorrectly casts an unaligned 8‑byte pointer to a floating‑point reference and writes through it. This misaligned memory write triggers undefined behavior according to the C standard. On architectures that enforce 4‑byte alignment, the failure manifests as a crash; on x86 the operation is tolerated but may still be exploited by compiler optimizations that assume aligned access, potentially corrupting data or causing a denial of service.

Affected Systems

Any software that bundles the Academy Software Foundation’s OpenEXR library versions 3.2.0 to 3.2.6, 3.3.0 to 3.3.8 and 3.4.0 to 3.4.8, and that processes DWA or DWAB compressed images with FLOAT‑type channels, is vulnerable. This includes the open source binaries supplied by the foundation as well as third‑party applications that embed the library. The vulnerability is fixed in releases 3.2.7, 3.3.9 and 3.4.9.

Risk and Exploitability

The CVSS scoring indicates a high severity (7.1). However, the EPSS score is below 1 %, suggesting that active exploitation is unlikely at present. The vulnerability does not appear in CISA’s KEV list, implying no publicly known active exploits. Attackers would need to supply a crafted EXR file that the vulnerable decoder processes. On aligned‑enforcing processors the outcome is a predictable crash, giving the system an immediate denial of service. On processors that tolerate alignment, the risk depends on whether compiler optimizations lead to corruption or uncontrolled execution, which is less certain. In either case, the impact is confined to the application's runtime and does not provide remote code execution to external attackers.

Generated by OpenCVE AI on April 7, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEXR to version 3.2.7, 3.3.9, or 3.4.9 or later
  • Recompile or rebuild dependent applications to link against the updated library
  • Until the upgrade can be applied, avoid processing DWA or DWAB compressed EXR files that contain FLOAT channels or switch to an alternative image format

Generated by OpenCVE AI on April 7, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Weaknesses CWE-475
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Title OpenEXR has a misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
Weaknesses CWE-704
CWE-787
CWE-843
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T03:07:14.371Z

Reserved: 2026-03-27T13:43:14.370Z

Link: CVE-2026-34379

cve-icon Vulnrichment

Updated: 2026-04-06T18:38:28.187Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T16:16:35.233

Modified: 2026-04-07T19:04:50.103

Link: CVE-2026-34379

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T15:21:06Z

Links: CVE-2026-34379 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:46Z

Weaknesses