CVE-2026-34589

CVSS v4.0

8.4

High

Vector

AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.2.0 through 3.2.6, 3.3.9, and 3.4.9

Description OpenEXR, an image storage format used in the motion picture industry, contains a flaw in the DWA lossy decoder. Specifically, the decoder uses signed 32-bit arithmetic to create temporary block pointers, which can overflow for large image widths. This overflow leads to out-of-bounds writes to memory outside the allocated row block, potentially leading to crashes or other unexpected behavior.

Recommendations Update to OpenEXR version 3.2.7 or later. Update to OpenEXR version 3.3.9 or later. Update to OpenEXR version 3.4.9 or later.

Fix

Integer Overflow

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-787

Related Identifiers

CVE-2026-34589

GHSA-P8XC-W3Q4-H64X

OESA-2026-1840

OESA-2026-1841

OESA-2026-1842

OESA-2026-1843

OESA-2026-1844

OPENSUSE-SU-2026:10505-1

OPENSUSE-SU-2026:20605-1

Affected Products

Openexr

CVE-2026-34589

Weakness Enumeration

Related Identifiers

Affected Products

References · 48