{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34589", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T17:15:52.498Z", "datePublished": "2026-04-06T15:33:03.276Z", "dateUpdated": "2026-04-07T13:05:41.117Z"}, "containers": {"cna": {"title": "OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9"}, {"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9"}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "openexr", "versions": [{"version": ">= 3.2.0, < 3.2.7", "status": "affected"}, {"version": ">= 3.3.0, < 3.3.9", "status": "affected"}, {"version": ">= 3.4.0, < 3.4.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T03:08:13.554Z"}, "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9."}], "source": {"advisory": "GHSA-p8xc-w3q4-h64x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T03:56:05.730658Z", "id": "CVE-2026-34589", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:05:41.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34589", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T03:56:05.730658Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:05:37.515Z"}}], "cna": {"title": "OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write", "source": {"advisory": "GHSA-p8xc-w3q4-h64x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "AcademySoftwareFoundation", "product": "openexr", "versions": [{"status": "affected", "version": ">= 3.2.0, < 3.2.7"}, {"status": "affected", "version": ">= 3.3.0, < 3.3.9"}, {"status": "affected", "version": ">= 3.4.0, < 3.4.9"}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x", "name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7", "name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9", "name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9", "name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T03:08:13.554Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34589", "state": "PUBLISHED", "dateUpdated": "2026-04-07T13:05:41.117Z", "dateReserved": "2026-03-30T17:15:52.498Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T15:33:03.276Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E7AA082-2647-4AAD-9902-1E3873882A3D", "versionEndExcluding": "3.2.7", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8321A2E-759A-4B1E-9AAF-0204791F4323", "versionEndExcluding": "3.3.9", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "matchCriteriaId": "94F2D271-636B-4E9E-A04B-40E635A59117", "versionEndExcluding": "3.4.9", "versionStartIncluding": "3.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9."}], "id": "CVE-2026-34589", "lastModified": "2026-04-07T18:59:05.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T16:16:36.040", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "OpenEXR: OpenEXR: Memory corruption leading to arbitrary code execution or denial of service", "id": "2455411", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455411"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in OpenEXR. The DWA lossy decoder, responsible for processing EXR image files, incorrectly handles large image widths. This occurs because temporary block pointers are constructed using signed 32-bit arithmetic, which can overflow. A remote attacker could exploit this by providing a specially crafted EXR file, leading to memory corruption and potentially arbitrary code execution or denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34589", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "OpenEXR", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-06T15:33:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34589\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34589\nhttps://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.9)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "openexr", "source": "cna", "vendor": "AcademySoftwareFoundation"}, "product": "openexr", "vendor": "academysoftwarefoundation"}], "analysis": {"en": {"generated_at": "2026-04-07T21:40:11.150530+00:00", "value": {"mitigation_remediation": ["Update OpenEXR to version 3.2.7, 3.3.9, or 3.4.9 or newer."], "summary": {"action": "Immediate Patch", "impact": "Heap Out\u2011of\u2011Bounds Write"}, "threat_synthesis": {"affected_systems": "Affected versions are OpenEXR 3.2.0 up to but excluding 3.2.7, 3.3.9, and 3.4.9. The open source reference implementation from the Academy Software Foundation is impacted; the issue was fixed in releases 3.2.7, 3.3.9, and 3.4.9.", "description_and_impact": "The vulnerability arises in the DWA lossy decoder of OpenEXR, where signed 32\u2011bit arithmetic is used to compute temporary per\u2011component block pointers. For a sufficiently large image width, the calculation overflows and the decoder later writes to a wrapped pointer outside the allocated rowBlock backing store. This results in a heap out\u2011of\u2011bounds write that can corrupt memory, potentially leading to crashes or, depending on the context, arbitrary code execution. The weak point is a classic signed integer overflow combined with a subsequent out\u2011of\u2011bounds write.", "risk_and_exploitability": "The CVSS score of 8.4 indicates a high severity vulnerability. The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation probability. However, the attack vector is likely local or remote file\u2011processing; a malicious or compromised image file with a large width can trigger the overflow. Exploitation requires crafting a DWA\u2011encoded EXR file and delivering it to a vulnerable application that processes untrusted images."}}}}, "created": "2026-04-06T21:32:12.944338+00:00", "updated": "2026-04-08T19:50:42.856880+00:00", "vendors": ["academysoftwarefoundation", "academysoftwarefoundation$PRODUCT$openexr"]}