Pwn2Woot

#13842of 53,632
19.5Total CVSS
Vulnerabilities · 3
Medium
2
High
1
PT-2026-30657
6.5
2026-04-06
Openexr · Openexr · CVE-2026-34378
Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.4.0 through 3.4.8 Description A missing bounds check on the `dataWindow` attribute in EXR file headers can lead to a signed integer overflow in the `generic unpack()` function. Setting `dataWindow.min.x` to a large negative value causes OpenEXRCore to calculate an excessively large image width. This width is then used in a signed integer multiplication, resulting in an overflow and process termination via SIGILL and UBSan. Recommendations Update to version 3.4.9 or later.
PT-2026-30658
7.1
2026-04-06
Openexr · Openexr · CVE-2026-34379
Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.2.0 through 3.2.6, version 3.3.9, and version 3.4.9 Description A memory write issue exists in the LossyDctDecoder execute() function within src/lib/OpenEXRCore/internal dwa decoder.h:749 when decoding DWA or DWAB-compressed EXR files with FLOAT-type channels. The decoder casts an unaligned uint8 t * row pointer to float * and writes through it, leading to undefined behavior on architectures enforcing alignment (ARM, RISC-V, etc.). While silently tolerated on x86, it remains exploitable through compiler optimizations. Recommendations Update to OpenEXR version 3.2.7 or later. Update to OpenEXR version 3.3.9 or later. Update to OpenEXR version 3.4.9 or later.
PT-2026-30659
5.9
2026-04-06
Industrial Light & Magic · Openexr · CVE-2026-34380
Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.2.0 through 3.2.6, 3.3.9, and 3.4.9 Description A signed integer overflow exists in the `undo pxr24 impl()` function within the OpenEXR library. The expression `(uint64 t)(w * 3)` calculates `w * 3` as a signed 32-bit integer before converting it to an unsigned 64-bit integer. When `w` is a large value, this multiplication can lead to undefined behavior. In tested builds, two's-complement wraparound commonly occurs, and for specific values of `w`, the wrapped result is a small positive integer. This can cause a subsequent bounds check to pass incorrectly, allowing the decoding loop to write pixel data beyond the allocated output buffer. Recommendations Update to OpenEXR version 3.2.7, 3.3.9, or 3.4.9.