Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Published: 2026-04-06
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: Heap Out-of-Bounds Write
Action: Patch Immediately
AI Analysis

Impact

This vulnerability arises from the DWA lossy decoder in the OpenEXR library. When decoding images with a sufficiently large component width, signed 32‑bit arithmetic overflows while calculating temporary block pointers. The overflow results in a pointer that wraps around, allowing the decoder to write beyond the bounds of the allocated heap memory. Such memory corruption can crash the application or, depending on the surrounding context, be leveraged to inject malicious code or alter program behavior. The weakness is reflected in CWE‑190 (integer overflow) and CWE‑787 (buffer overflow).

Affected Systems

The flaw affects AcademySoftwareFoundation OpenEXR versions 3.2.0 through 3.2.6, all versions before 3.3.9, and before 3.4.9. Versions 3.2.7, 3.3.9, and 3.4.9 contain the fix and are therefore not vulnerable.

Risk and Exploitability

The CVSS score of 8.4 classifies this as high severity. Since the vulnerability is triggered by processing a crafted EXR file, it can be exploited when an application loads untrusted images. The absence of an EPSS score and the lack of listing in the CISA KEV catalog suggest that exploitation is currently theoretical, but the high CVSS indicates that an attacker who gains the ability to supply an image can potentially cause denial of service or arbitrary code execution. The likely attack vector is through maliciously crafted image files delivered via local or remote channels to software that incorporates the vulnerable OpenEXR library.

Generated by OpenCVE AI on April 6, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEXR to version 3.2.7 or newer releases (3.3.9/3.4.9)
  • Reject or sandbox untrusted DWA images until the library is patched

Generated by OpenCVE AI on April 6, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Title OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
Weaknesses CWE-190
CWE-787
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:33:03.276Z

Reserved: 2026-03-30T17:15:52.498Z

Link: CVE-2026-34589

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-06T16:16:36.040

Modified: 2026-04-06T16:16:36.040

Link: CVE-2026-34589

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T15:33:03Z

Links: CVE-2026-34589 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:12Z

Weaknesses