DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34589: CVE-2026-34589: Heap Out-of-Bounds Write in OpenEXR DWA Lossy Decoder

#security #cve #cybersecurity

CVE-2026-34589: Heap Out-of-Bounds Write in OpenEXR DWA Lossy Decoder

Vulnerability ID: CVE-2026-34589
CVSS Score: 8.4
Published: 2026-04-08

CVE-2026-34589 is a high-severity heap out-of-bounds write vulnerability within the OpenEXR Core library, specifically in the DreamWorks Animation (DWA) lossy decompression logic. By crafting a malicious EXR file with excessively large dimensions, an attacker can trigger a 32-bit signed integer overflow that corrupts subsequent pointer arithmetic. This memory corruption affects multiple version branches of OpenEXR and allows an attacker to cause a denial-of-service condition or potentially execute arbitrary code.

TL;DR

A 32-bit signed integer overflow in OpenEXR's DWA decoder produces a negative memory offset, resulting in a heap out-of-bounds write during file decompression.

Technical Details

  • CWE IDs: CWE-190, CWE-787
  • Attack Vector: Local (AV:L)
  • CVSS 4.0: 8.4
  • EPSS Score: 0.00028
  • Exploit Status: None
  • Impact: Denial of Service, Potential RCE

Affected Systems

  • OpenEXR 3.2.0 - 3.2.6
  • OpenEXR 3.3.0 - 3.3.8
  • OpenEXR 3.4.0 - 3.4.8
  • OpenEXR: >= 3.2.0, <= 3.2.6 (Fixed in: 3.2.7)
  • OpenEXR: >= 3.3.0, <= 3.3.8 (Fixed in: 3.3.9)
  • OpenEXR: >= 3.4.0, <= 3.4.8 (Fixed in: 3.4.9)

Code Analysis

Commit: b5fa98a

Security advisory metadata added to SECURITY.md

Mitigation Strategies

  • Upgrade to patched OpenEXR versions (3.2.7, 3.3.9, or 3.4.9)
  • Implement strict validation of EXR dataWindow dimensions before passing to decoder
  • Utilize 64-bit unsigned integers (size_t) for memory offset calculations

Remediation Steps:

  1. Identify all applications and rendering pipelines utilizing the OpenEXR library.
  2. Determine the active branch of OpenEXR currently in use (3.2.x, 3.3.x, or 3.4.x).
  3. Deploy the appropriate patched version (3.2.7, 3.3.9, or 3.4.9) to the affected systems.
  4. Recompile dependent applications if statically linked against libOpenEXRCore.

References

Read the full report for CVE-2026-34589 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)