High severity7.3NVD Advisory· Published Apr 1, 2026· Updated Apr 7, 2026
CVE-2026-34544
CVE-2026-34544
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that decodes it via exr_decoding_run(). Consequences range from immediate crash (most likely) to corruption of adjacent heap allocations (layout-dependent). This issue has been patched in version 3.4.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openexrPyPI | >= 3.4.0, < 3.4.8 | 3.4.8 |
openexrPyPI | >= 3.3.0, <= 3.3.8 | — |
openexrPyPI | >= 3.2.0, <= 3.2.6 | — |
Affected products
19- osv-coords18 versionspkg:apk/chainguard/openexrpkg:apk/chainguard/openexr-devpkg:apk/chainguard/openexr-docpkg:apk/chainguard/openexr-libiexpkg:apk/chainguard/openexr-libilmthreadpkg:apk/chainguard/openexr-libopenexrpkg:apk/chainguard/openexr-libopenexrcorepkg:apk/chainguard/openexr-libopenexrutilpkg:apk/wolfi/openexrpkg:apk/wolfi/openexr-devpkg:apk/wolfi/openexr-docpkg:apk/wolfi/openexr-libiexpkg:apk/wolfi/openexr-libilmthreadpkg:apk/wolfi/openexr-libopenexrpkg:apk/wolfi/openexr-libopenexrcorepkg:apk/wolfi/openexr-libopenexrutilpkg:pypi/openexrpkg:rpm/opensuse/openexr&distro=openSUSE%20Tumbleweed
< 3.4.9-r0+ 17 more
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: < 3.4.9-r0
- (no CPE)range: >= 3.4.0, < 3.4.8
- (no CPE)range: < 3.4.9-1.1
Patches
Vulnerability mechanics
References
5- github.com/AcademySoftwareFoundation/openexr/commit/35e7aa35e22c1975606be86e859f31cc1fc598eenvdPatchWEB
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h762-rhv3-h25vnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-h762-rhv3-h25vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34544ghsaADVISORY
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.