CVE-2026-34588: CVE-2026-34588: Signed 32-bit Integer Overflow leading to Out-of-Bounds Memory Access in OpenEXR PIZ Decoder

#security #cve #cybersecurity

CVE-2026-34588: Signed 32-bit Integer Overflow leading to Out-of-Bounds Memory Access in OpenEXR PIZ Decoder

Vulnerability ID: CVE-2026-34588
CVSS Score: 7.8
Published: 2026-04-08

OpenEXR versions 3.1.0 through 3.4.8 contain a signed 32-bit integer overflow vulnerability in the PIZ decompression routine. Processing maliciously crafted EXR files with extreme image dimensions triggers out-of-bounds read and write operations, potentially enabling arbitrary code execution or localized denial of service.

TL;DR

A signed integer overflow in OpenEXR's PIZ decoder allows attackers to execute out-of-bounds memory accesses via crafted EXR image files, leading to application crashes or potential remote code execution.

Technical Details

CWE ID: CWE-190
Attack Vector: Local
CVSS v3.1: 7.8
EPSS Score: 0.00022
Impact: Out-of-Bounds Read/Write
Exploit Status: None
KEV Status: Not Listed

Affected Systems

OpenEXR 3.1.0 through 3.1.13
OpenEXR 3.2.0 through 3.2.6
OpenEXR 3.3.0 through 3.3.8
OpenEXR 3.4.0 through 3.4.8
OpenEXR: 3.1.0 - 3.1.13 (Fixed in: 3.2.7)
OpenEXR: 3.2.0 - < 3.2.7 (Fixed in: 3.2.7)
OpenEXR: 3.3.0 - < 3.3.9 (Fixed in: 3.3.9)
OpenEXR: 3.4.0 - < 3.4.9 (Fixed in: 3.4.9)

Mitigation Strategies

Upgrade OpenEXR to versions 3.2.7, 3.3.9, or 3.4.9.
Implement strict bounds checking on untrusted image dimensions before passing to the OpenEXR API.
Isolate image processing workloads in heavily sandboxed environments.

Remediation Steps:

Identify all applications statically or dynamically linking the OpenEXRCore library.
Update dependencies to the patched versions.
Recompile statically linked binaries.
Deploy updated packages to production environments.