CVE-2026-34588
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenEXRPyPI | >= 3.1.0, < 3.2.7 | 3.2.7 |
OpenEXRPyPI | >= 3.3.0, < 3.3.9 | 3.3.9 |
OpenEXRPyPI | >= 3.4.0, < 3.4.9 | 3.4.9 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hfnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-588r-cr5c-w6hfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34588ghsaADVISORY
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7nvdProductRelease NotesWEB
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9nvdProductRelease NotesWEB
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.