Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Published: 2026-04-06
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: Out-of-Bounds Read/Write Leading to Potential Memory Corruption
Action: Patch Immediately
AI Analysis

Impact

The vulnerability stems from a signed 32‑bit integer overflow in the PIZ wavelet decoder routine of OpenEXR. The internal_exr_undo_piz function advances a wavelet pointer using signed 32‑bit arithmetic with dimensions represented as int. An attacker can craft an EXR file that causes this counter to wrap, leading the decoder to operate on an incorrect address. Because the decode path processes data in place, this results in both out‑of‑bounds reads and writes, enabling arbitrary memory corruption that could compromise program integrity or confidentiality.

Affected Systems

Affected is the AcademySoftwareFoundation OpenEXR library across versions 3.1.0 through before 3.2.7, 3.3.9, and 3.4.9. Any software that incorporates these versions—such as motion‑picture industry pipelines that use EXR for high‑dynamic‑range imagery—may be vulnerable when processing crafted files.

Risk and Exploitability

With a CVSS score of 8.6 the vulnerability is classified as high severity. The EPSS score is not reported and the issue is not listed in the CISA KEV catalog, indicating that large‑scale exploitation has not yet been documented. The likely attack vector is the delivery of a malicious EXR file through any medium that allows the application to read a file, as the payload is fully contained within the file (inferred). Because the flaw permits arbitrary memory reads and writes, a compromised process could potentially lead to privilege escalation or arbitrary code execution, although such exploitation is not directly described in the advisory.

Generated by OpenCVE AI on April 6, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEXR to a patched version (3.2.7, 3.3.9, or 3.4.9).
  • If immediate upgrade is not possible, refuse or quarantine any untrusted EXR files until a patch is applied.
  • Verify that all applications linking to OpenEXR are updated to use the patched library.

Generated by OpenCVE AI on April 6, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Title OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
Weaknesses CWE-125
CWE-190
CWE-787
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:31:57.602Z

Reserved: 2026-03-30T16:56:30.999Z

Link: CVE-2026-34588

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-06T16:16:35.893

Modified: 2026-04-06T16:16:35.893

Link: CVE-2026-34588

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T15:31:57Z

Links: CVE-2026-34588 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:13Z

Weaknesses