Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.
Published: 2026-04-01
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Heap Overflow
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an integer overflow in the HTJ2K decoder of OpenEXR. A malicious .exr file that uses HTJ2K compression and sets a channel width of 32768 can cause the decoder to calculate a buffer size that is too small. The overflow causes the program to write controlled data beyond the allocated heap buffer. This out‑of‑bounds write can overwrite arbitrary heap memory, providing a write primitive that can be leveraged to execute arbitrary code. The weakness is a buffer overflow, signed integer overflow, and arithmetic error as indicated by the associated CWEs.

Affected Systems

OpenEXR versions 3.4.0 through 3.4.6 are affected. Any application that links against these library releases and decodes .exr files containing HTJ2K compressed data is at risk. The issue was addressed in OpenEXR 3.4.7, which introduces bounds checks that prevent the overflow.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity, and the EPSS score of less than 1% suggests exploitation probability remains low at present. The vulnerability is not listed in CISA’s KEV catalog, so it is not currently known to be actively exploited. The likely attack vector requires delivery of a crafted .exr file to the vulnerable application; if the application parses files from an untrusted source, the attacker could gain remote code execution by controlling the heap layout. The impact includes potential compromise of confidentiality, integrity, and availability of the affected system.

Generated by OpenCVE AI on April 7, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEXR to 3.4.7 or later
  • If an upgrade is not feasible, disable or restrict processing of HTJ2K‑compressed .exr files in the application
  • Monitor for abnormal memory usage, crashes, or RCE attempts in applications that use OpenEXR
  • Verify that no older OpenEXR versions remain installed on the system

Generated by OpenCVE AI on April 7, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Thu, 02 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.
Title OpenEXR: integer overflow lead to OOB in HTJ2K decoder
Weaknesses CWE-122
CWE-190
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T19:47:18.494Z

Reserved: 2026-03-30T16:31:39.264Z

Link: CVE-2026-34545

cve-icon Vulnrichment

Updated: 2026-04-03T19:47:04.539Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:17:01.640

Modified: 2026-04-07T20:04:43.683

Link: CVE-2026-34545

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-01T20:51:45Z

Links: CVE-2026-34545 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:51Z

Weaknesses