DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34543: CVE-2026-34543: Heap Information Disclosure in OpenEXR PXR24 Decompression

#security #cve #cybersecurity

CVE-2026-34543: Heap Information Disclosure in OpenEXR PXR24 Decompression

Vulnerability ID: CVE-2026-34543
CVSS Score: 8.7
Published: 2026-04-03

A critical heap information disclosure vulnerability in OpenEXR allows remote attackers to leak uninitialized heap memory contents via maliciously crafted EXR files. The flaw exists in the PXR24 decompression logic, where missing bounds checks on truncated zlib streams lead to out-of-bounds reads during image reconstruction.

TL;DR

OpenEXR versions 3.4.0 through 3.4.7 fail to validate decompressed stream lengths in the PXR24 decoder. An attacker can craft a truncated EXR file that leaks uninitialized heap memory into pixel data. Updating to version 3.4.8 resolves the vulnerability.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-908
  • Attack Vector: Network
  • CVSS v4.0: 8.7 (High)
  • EPSS Score: 0.04%
  • Impact: High Confidentiality (Heap Memory Disclosure)
  • Exploit Status: PoC
  • CISA KEV: False

Affected Systems

  • Applications dynamically linking OpenEXRCore 3.4.0 - 3.4.7
  • Applications statically compiling OpenEXR 3.4.0 - 3.4.7
  • Cloud rendering services accepting user-uploaded EXR files
  • Media processing pipelines using affected OpenEXR implementations
  • OpenEXR: 3.4.0 - 3.4.7 (Fixed in: 3.4.8)

Code Analysis

Commit: 5f6d0aa

Fix bounds check in undo_pxr24_impl to prevent uninitialized memory read

- if (nDec + nBytes > uncompressed_size)
+ if (nDec + nBytes > outSize)
      return EXR_ERR_CORRUPT_CHUNK;
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Analysis: Proof of concept methodology detailed in GitHub Advisory analysis.

Mitigation Strategies

  • Update OpenEXR library to version 3.4.8 or later
  • Recompile applications statically linked against vulnerable versions of libOpenEXRCore
  • Isolate image processing tasks in short-lived, sandboxed environments to minimize heap value
  • Implement strict input validation for external media files

Remediation Steps:

  1. Identify all internal applications and third-party dependencies utilizing OpenEXR.
  2. Upgrade the OpenEXR dependency to v3.4.8 within package managers and build manifests.
  3. Rebuild and redeploy applications statically linking the library.
  4. Monitor application crash logs or unexpected image artifacts during file processing.

References

Read the full report for CVE-2026-34543 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)