OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
Summary
| CVE | CVE-2026-34589 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-06 16:16:36 UTC |
| Updated | 2026-04-07 18:59:05 UTC |
| Description | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. |
Risk And Classification
Primary CVSS: v4.0 8.4 HIGH from [email protected]
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000140000 probability, percentile 0.024600000 (date 2026-04-07)
Problem Types: CWE-190 | CWE-787 | CWE-190 CWE-190: Integer Overflow or Wraparound | CWE-787 CWE-787: Out-of-bounds Write
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 8.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
Attack Vector
LocalAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
ActiveConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
RequiredScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | AcademySoftwareFoundation | Openexr | affected >= 3.2.0, < 3.2.7 | Not specified |
| CNA | AcademySoftwareFoundation | Openexr | affected >= 3.3.0, < 3.3.9 | Not specified |
| CNA | AcademySoftwareFoundation | Openexr | affected >= 3.4.0, < 3.4.9 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 | [email protected] | github.com | Product, Release Notes |
| github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 | [email protected] | github.com | Product, Release Notes |
| github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 | [email protected] | github.com | Product, Release Notes |
| github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8... | [email protected] | github.com | Exploit, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.