Medium severity6.5NVD Advisory· Published Apr 6, 2026· Updated Apr 7, 2026
CVE-2026-34378
CVE-2026-34378
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a signed integer overflow in generic_unpack(). By setting dataWindow.min.x to a large negative value, OpenEXRCore computes an enormous image width, which is later used in a signed integer multiplication that overflows, causing the process to terminate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-v76p-4qvv-vh4gnvdExploitVendor Advisory
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9nvdProductRelease Notes
News mentions
0No linked articles in our index yet.