{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34380", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.370Z", "datePublished": "2026-04-06T15:22:40.198Z", "dateUpdated": "2026-04-07T03:07:36.146Z"}, "containers": {"cna": {"title": "OpenEXR has a signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9"}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "openexr", "versions": [{"version": ">= 3.2.0, < 3.2.7", "status": "affected"}, {"version": ">= 3.3.0, < 3.3.9", "status": "affected"}, {"version": ">= 3.4.0, < 3.4.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T03:07:36.146Z"}, "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9."}], "source": {"advisory": "GHSA-q3v8-hw4m-59w5", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9."}], "id": "CVE-2026-34380", "lastModified": "2026-04-07T04:17:16.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T16:16:35.400", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7"}, {"source": "security-advisories@github.com", "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9"}, {"source": "security-advisories@github.com", "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9"}, {"source": "security-advisories@github.com", "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "OpenEXR: OpenEXR: Denial of Service due to signed integer overflow in image decoding", "id": "2455384", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455384"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in OpenEXR, an image storage format library. A remote attacker could exploit a signed integer overflow vulnerability in the `undo_pxr24_impl()` function when processing a specially crafted EXR image file. This overflow can cause the application to write pixel data beyond its allocated memory buffer, leading to a buffer overflow. The primary consequence of this vulnerability is a denial of service, which could make the application unavailable."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34380", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "openexr", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "openexr", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-06T15:22:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34380\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34380\nhttps://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.9)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "openexr", "source": "cna", "vendor": "AcademySoftwareFoundation"}, "product": "openexr", "vendor": "academysoftwarefoundation"}], "analysis": {"en": {"generated_at": "2026-04-06T18:05:18.960809+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEXR to version 3.2.7, 3.3.9, 3.4.9 or later.", "Verify that the installed library reflects the updated version.", "Rebuild or relink any applications that link against the older library with the updated version.", "If an upgrade cannot be performed immediately, restrict or quarantine the use of EXR files until a patch is available.", "Monitor vendor advisories for further updates or additional mitigations."], "summary": {"action": "Immediate Patch", "impact": "Buffer Overflow and Memory Corruption"}, "threat_synthesis": {"affected_systems": "The affected product is the OpenEXR library provided by the AcademySoftwareFoundation. Versions from 3.2.0 up to but not including 3.2.7, from 3.3.0 up to but not including 3.3.9, and from 3.4.0 up to but not including 3.4.9 contain the vulnerability. The fix is included in versions 3.2.7, 3.3.9, and 3.4.9 and later.", "description_and_impact": "A signed integer overflow occurs in the OpenEXR library when a width value is multiplied by three using a signed 32\u2011bit integer before being cast to 64 bits. For large width values this overflow yields a small positive number, allowing the bounds check on the decompression destination buffer to incorrectly succeed. The subsequent decoding loop then writes pixel data past the allocated buffer, causing a heap buffer overflow that can corrupt memory. Based on the description, it is inferred that a maliciously crafted EXR file could exploit this flaw to trigger arbitrary code execution if the overflow leads to overwrite of executable code or control data.", "risk_and_exploitability": "The CVSS base score of 5.9 indicates a medium severity vulnerability. No publicly available EPSS score is listed, and the flaw is not included in the CISA KEV catalog. An attacker can potentially trigger the overflow by supplying a malicious EXR file that the vulnerable library processes, which is likely achievable in any context where an application accepts external EXR images. The vulnerability manifests during decompression, so read access to load a crafted file is sufficient. Based on the description, it is inferred that the overflow could allow arbitrary code execution or a denial of service if memory corruption occurs."}}}}, "created": "2026-04-06T20:14:06.609723+00:00", "updated": "2026-04-06T21:32:19.263998+00:00", "vendors": ["academysoftwarefoundation", "academysoftwarefoundation$PRODUCT$openexr"]}