Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Published: 2026-04-06
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds Read/Write
Action: Upgrade
AI Analysis

Impact

OpenEXR’s internal wavelet decoding routine can overflow a signed 32‑bit counter when processing a specially crafted EXR file. The resulting wraparound causes the decoder to reference an incorrect memory location, leading to out‑of‑bounds reads and writes. In a system where the OpenEXR library is linked, this memory corruption can corrupt data, crash the application, or potentially enable arbitrary code execution if an attacker can supply malicious input.

Affected Systems

The critical versions are all releases from 3.1.0 up to, but not including, 3.2.7; all releases from 3.3.0 up to, but not including, 3.3.9; and all releases from 3.4.0 up to, but not including, 3.4.9 of the AcademySoftwareFoundation OpenEXR library. All other newer releases are unaffected.

Risk and Exploitability

The vulnerability has a CVSS score of 8.6, indicating high severity, while the EPSS score is below 1 % and the issue is not listed in the CISA KEV catalog. Attackers would need to supply a malicious EXR file to a vulnerable application that uses OpenEXR; thus the attack vector is local or via supply‑chain file ingestion rather than remote exploitation. Exploitation requires the vulnerable library to be loaded and the user to have read access to the crafted file.

Generated by OpenCVE AI on April 7, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official upgrade to OpenEXR 3.2.7, 3.3.9, or 3.4.9 as appropriate for your installation.
  • If upgrading is not immediately possible, ensure that only trusted EXR files are processed and consider sandboxing any utilities that read untrusted files.

Generated by OpenCVE AI on April 7, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-588r-cr5c-w6hf OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Title OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
Weaknesses CWE-125
CWE-190
CWE-787
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:05:55.762Z

Reserved: 2026-03-30T16:56:30.999Z

Link: CVE-2026-34588

cve-icon Vulnrichment

Updated: 2026-04-07T13:05:53.112Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T16:16:35.893

Modified: 2026-04-07T19:01:21.643

Link: CVE-2026-34588

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T15:31:57Z

Links: CVE-2026-34588 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:44Z

Weaknesses