High severity7.3NVD Advisory· Published Apr 1, 2026· Updated Apr 7, 2026

CVE-2026-34544

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that decodes it via exr_decoding_run(). Consequences range from immediate crash (most likely) to corruption of adjacent heap allocations (layout-dependent). This issue has been patched in version 3.4.8.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
openexrPyPI	>= 3.4.0, < 3.4.8	3.4.8
openexrPyPI	>= 3.3.0, <= 3.3.8	—
openexrPyPI	>= 3.2.0, <= 3.2.6	—

Affected products

Openexr/Openexr
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Range: >=3.2.0,<3.2.7

Patches

35e7aa35e22c

Fix B44/B44A integer overflow: use uint64_t for row offset (#2312)

https://github.com/AcademySoftwareFoundation/openexrCary PhillipsMar 19, 2026via ghsa

commit

1 file changed · +12 −11

src/lib/OpenEXRCore/internal_b44.c+12 −11 modified

@@ -427,13 +427,13 @@ compress_b44_impl (exr_encode_pipeline_t* encode, int flat_field)
             // rightmost column and the bottom row.
             //
             uint16_t *row0, *row1, *row2, *row3;
+            /* row offset in elements: use uint64_t so y*nx cannot overflow int */
+            uint64_t row_off = (uint64_t) (y) * (uint64_t) (nx);
 
-            row0 = (uint16_t*) scratch;
-            row0 += y * nx;
-
-            row1 = row0 + nx;
-            row2 = row1 + nx;
-            row3 = row2 + nx;
+            row0 = (uint16_t*) scratch + row_off;
+            row1 = row0 + (uint64_t) nx;
+            row2 = row1 + (uint64_t) nx;
+            row3 = row2 + (uint64_t) nx;
 
             if (y + 3 >= ny)
             {
@@ -557,11 +557,12 @@ uncompress_b44_impl (
 
         for (int y = 0; y < ny; y += 4)
         {
-            row0 = (uint16_t*) scratch;
-            row0 += y * nx;
-            row1 = row0 + nx;
-            row2 = row1 + nx;
-            row3 = row2 + nx;
+            /* row offset in elements: use uint64_t so y*nx cannot overflow int */
+            uint64_t row_off = (uint64_t) (y) * (uint64_t) (nx);
+            row0 = (uint16_t*) scratch + row_off;
+            row1 = row0 + (uint64_t) nx;
+            row2 = row1 + (uint64_t) nx;
+            row3 = row2 + (uint64_t) nx;
             for (int x = 0; x < nx; x += 4)
             {
                 if (bIn + 3 > comp_buf_size) return EXR_ERR_OUT_OF_MEMORY;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/AcademySoftwareFoundation/openexr/commit/35e7aa35e22c1975606be86e859f31cc1fc598eenvdPatchWEB
github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h762-rhv3-h25vnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-h762-rhv3-h25vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-34544ghsaADVISORY
github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000