CVE-2026-34380

Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.2.0 through 3.2.6, 3.3.9, and 3.4.9

Description A signed integer overflow exists in the undo pxr24 impl() function within the OpenEXR library. The expression (uint64 t)(w * 3) calculates w * 3 as a signed 32-bit integer before converting it to an unsigned 64-bit integer. When w is a large value, this multiplication can lead to undefined behavior. In tested builds, two's-complement wraparound commonly occurs, and for specific values of w, the wrapped result is a small positive integer. This can cause a subsequent bounds check to pass incorrectly, allowing the decoding loop to write pixel data beyond the allocated output buffer.

Recommendations Update to OpenEXR version 3.2.7, 3.3.9, or 3.4.9.