CVE-2026-34379
Misaligned Memory Write in OpenEXR LossyDctDecoder Causes Crashes
Publication date: 2026-04-06
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openexr | openexr | From 3.2.0 (inc) to 3.2.7 (exc) |
| openexr | openexr | From 3.3.0 (inc) to 3.3.9 (exc) |
| openexr | openexr | From 3.4.0 (inc) to 3.4.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-704 | The product does not correctly convert an object, resource, or structure from one type to a different type. |
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenEXR involves a misaligned memory write that can cause crashes or potential code execution when decoding certain EXR image files. It primarily impacts application availability and integrity by causing denial of service or silent data corruption.
However, there is no direct impact on confidentiality, as the vulnerability does not expose or leak sensitive data.
Because common standards and regulations like GDPR and HIPAA emphasize protecting confidentiality, integrity, and availability of data, this vulnerability mainly affects the availability and integrity aspects but does not directly compromise confidentiality.
Organizations relying on OpenEXR for processing untrusted EXR files should consider this vulnerability in their risk assessments and apply patches to maintain compliance with availability and integrity requirements under these regulations.
Can you explain this vulnerability to me?
CVE-2026-34379 is a high-severity vulnerability in the OpenEXR library affecting versions 3.2.0 through 3.4.7. It occurs in the function LossyDctDecoder_execute() when decoding DWA or DWAB-compressed EXR image files that contain FLOAT-type channels.
The vulnerability arises because the decoder performs an in-place conversion from HALF (16-bit) to FLOAT (32-bit) by casting an unaligned uint8_t* row pointer to a float* pointer and writing through it without ensuring proper 4-byte alignment. Since the row buffer pointers are assigned sequentially without alignment padding, the FLOAT channel's pointer may be misaligned.
This misaligned memory write leads to undefined behavior under the C standard. On architectures enforcing strict alignment (such as ARM, RISC-V, MIPS), this causes immediate crashes or denial of service. On x86 architectures, misaligned accesses are tolerated by hardware but can cause silent data corruption or potential code execution due to compiler optimizations that assume aligned access.
The root cause is the lack of alignment padding when slicing the continuous output buffer per channel, leading to misaligned pointers. The vulnerability was fixed by replacing direct float pointer dereferences with safe unaligned load/store operations using memcpy-based helper functions.
How can this vulnerability impact me? :
If you use applications that decode untrusted EXR files with DWA/DWAB compression and FLOAT channels, this vulnerability can impact you in several ways depending on your system architecture.
- On architectures enforcing strict memory alignment (e.g., ARM, RISC-V, MIPS), the vulnerability causes immediate crashes or denial of service, potentially disrupting application availability.
- On x86 architectures, it can cause silent data corruption or even allow potential code execution due to compiler optimizations that assume aligned memory access, posing a security risk.
- The attack vector is network-based, requires no privileges, and has low complexity, but does require user interaction (e.g., opening a crafted EXR file).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for runtime errors related to misaligned memory accesses when decoding DWA/DWAB-compressed EXR files containing FLOAT-type channels. Specifically, tools like UndefinedBehaviorSanitizer (UBSan) can detect the issue at runtime with errors such as "store to misaligned address ... for type 'float', which requires 4 byte alignment."
To detect the vulnerability on your system, you can run the OpenEXR decoder with UBSan or AddressSanitizer enabled and observe if any misaligned memory write errors occur during decoding of suspicious EXR files.
Example commands to detect the issue might include:
- Compile OpenEXR with UBSan enabled (if building from source): clang -fsanitize=undefined -g -o openexr_decoder src/*.c
- Run the decoder on a DWA/DWAB-compressed EXR file with FLOAT channels: ./openexr_decoder suspicious_file.exr
- Monitor the output for UBSan errors indicating misaligned float stores.
Additionally, checking the OpenEXR library version used on your system can help identify if it is vulnerable. Versions from 3.2.0 up to but not including 3.2.7, 3.3.9, and 3.4.9 are affected.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the OpenEXR library to a fixed version. The vulnerability is resolved in versions 3.2.7, 3.3.9, and 3.4.9.
If upgrading is not immediately possible, avoid processing untrusted or potentially malicious EXR files that use DWA/DWAB compression with FLOAT-type channels, as these can trigger the misaligned memory write and cause crashes or data corruption.
Additionally, consider running the decoder with sanitizers enabled (e.g., UBSan) during testing to detect any misaligned memory accesses early.