High severity7.5NVD Advisory· Published Apr 1, 2026· Updated Apr 7, 2026

CVE-2026-34543

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
openexrPyPI	>= 3.4.0, < 3.4.8	3.4.8
openexrPyPI	>= 3.3.0, <= 3.3.8	—
openexrPyPI	>= 3.2.0, <= 3.2.6	—

Affected products

Openexr/Openexr
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Range: >=3.2.0,<3.2.7

Patches

5f6d0aaa9e43

PXR24: reject zlib output that does not match packed payload size (#2310)

https://github.com/AcademySoftwareFoundation/openexrCary PhillipsMar 22, 2026via ghsa

commit

2 files changed · +8 −4

src/lib/OpenEXRCore/compression.c+5 −1 modified

@@ -201,7 +201,11 @@ exr_uncompress_buffer (
         }
         else if (res == LIBDEFLATE_SHORT_OUTPUT)
         {
-            /* TODO: is this an error? */
+            /* Decompression succeeded; *actual_out is the byte count. This is
+             * not an error when out_bytes_avail exceeds the true uncompressed
+             * size (e.g. PXR24/ZIP use padded scratch buffers). Callers that
+             * need an exact payload size must compare *actual_out (see e.g.
+             * undo_pxr24_impl). */
             return EXR_ERR_SUCCESS;
         }
         return EXR_ERR_CORRUPT_CHUNK;

src/lib/OpenEXRCore/internal_pxr24.c+3 −3 modified

@@ -320,7 +320,7 @@ undo_pxr24_impl (
                     ptr[3] = lastIn;
                     lastIn += w;
 
-                    if (nDec + nBytes > uncompressed_size)
+                    if (nDec + nBytes > outSize)
                         return EXR_ERR_CORRUPT_CHUNK;
 
                     for (int x = 0; x < w; ++x)
@@ -347,7 +347,7 @@ undo_pxr24_impl (
                     ptr[1] = lastIn;
                     lastIn += w;
 
-                    if (nDec + nBytes > uncompressed_size)
+                    if (nDec + nBytes > outSize)
                         return EXR_ERR_CORRUPT_CHUNK;
 
                     for (int x = 0; x < w; ++x)
@@ -374,7 +374,7 @@ undo_pxr24_impl (
                     ptr[2] = lastIn;
                     lastIn += w;
 
-                    if (nDec + (uint64_t) (w * 3) > uncompressed_size)
+                    if (nDec + (uint64_t) (w * 3) > outSize)
                         return EXR_ERR_CORRUPT_CHUNK;
 
                     for (int x = 0; x < w; ++x)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/AcademySoftwareFoundation/openexr/commit/5f6d0aaa9e43802917af7db90f181e88e083d3b8nvdPatchWEB
github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432nvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-vc68-257w-m432ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-34543ghsaADVISORY
github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000