Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Published: 2026-04-06
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Out‑of‑Bounds Write
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises in the DWA lossy decoder of OpenEXR, where signed 32‑bit arithmetic is used to compute temporary per‑component block pointers. For a sufficiently large image width, the calculation overflows and the decoder later writes to a wrapped pointer outside the allocated rowBlock backing store. This results in a heap out‑of‑bounds write that can corrupt memory, potentially leading to crashes or, depending on the context, arbitrary code execution. The weak point is a classic signed integer overflow combined with a subsequent out‑of‑bounds write.

Affected Systems

Affected versions are OpenEXR 3.2.0 up to but excluding 3.2.7, 3.3.9, and 3.4.9. The open source reference implementation from the Academy Software Foundation is impacted; the issue was fixed in releases 3.2.7, 3.3.9, and 3.4.9.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability. The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation probability. However, the attack vector is likely local or remote file‑processing; a malicious or compromised image file with a large width can trigger the overflow. Exploitation requires crafting a DWA‑encoded EXR file and delivering it to a vulnerable application that processes untrusted images.

Generated by OpenCVE AI on April 7, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenEXR to version 3.2.7, 3.3.9, or 3.4.9 or newer.

Generated by OpenCVE AI on April 7, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p8xc-w3q4-h64x OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Openexr
Openexr openexr
CPEs cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Vendors & Products Openexr
Openexr openexr
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Academysoftwarefoundation
Academysoftwarefoundation openexr
Vendors & Products Academysoftwarefoundation
Academysoftwarefoundation openexr

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Title OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
Weaknesses CWE-190
CWE-787
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Academysoftwarefoundation Openexr
Openexr Openexr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:05:41.117Z

Reserved: 2026-03-30T17:15:52.498Z

Link: CVE-2026-34589

cve-icon Vulnrichment

Updated: 2026-04-07T13:05:37.515Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T16:16:36.040

Modified: 2026-04-07T18:59:05.807

Link: CVE-2026-34589

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T15:33:03Z

Links: CVE-2026-34589 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:42Z

Weaknesses