Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.
Published: 2026-04-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

A heap information‑disclosure flaw exists in the PXR24 decompression routine of the OpenEXR image library. When an application decodes a specially crafted EXR file, the library can read beyond the intended buffer and return portions of the heap to the caller. The exposed data is returned as part of the decoded pixel values, allowing an attacker to recover arbitrary memory contents belonging to the process using the library. The weakness originates from a lack of validation of the decompressed size against the original data length, constituting information exposure through overreading.

Affected Systems

The exploit affects the Academy Software Foundation’s OpenEXR implementation from version 3.4.0 through 3.4.7 inclusive. Any software that embeds these releases and uses the default PXR24 decoder is susceptible. The issue was addressed in release 3.4.8; systems using that or later versions are no longer impacted.

Risk and Exploitability

The vulnerability receives a score of 8.7 on the security rating scale, classifying it as high severity. The probability of exploitation is estimated to be below 1%, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can trigger the flaw by delivering a malicious EXR file to the target application without user interaction. The impact is data theft of sensitive information residing in the process heap, which could include credentials, cryptographic keys, or other secrets. Because any process that loads the library is affected, the scope extends from a single user to the entire application and potentially related services that rely on image decoding.

Generated by OpenCVE AI on April 7, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEXR to version 3.4.8 or newer.
  • If an upgrade is not immediately possible, disable the PXR24 decoder for untrusted files or replace it with a validated decoder.
  • Monitor for abnormal memory usage or unfamiliar EXR files in logs.
  • Consult the vendor’s advisory and keep the library up to date.

Generated by OpenCVE AI on April 7, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vc68-257w-m432 OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.
Title OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
Weaknesses CWE-908
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T13:59:31.393Z

Reserved: 2026-03-30T16:31:39.264Z

Link: CVE-2026-34543

cve-icon Vulnrichment

Updated: 2026-04-02T13:59:20.417Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:17:01.320

Modified: 2026-04-07T20:16:10.383

Link: CVE-2026-34543

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-01T20:56:18Z

Links: CVE-2026-34543 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:48Z

Weaknesses