CVE-2026-34543
Received Received - Intake
Information Disclosure in OpenEXR 3.4.0–3.4.7 via Malicious EXR Files

Publication date: 2026-04-01

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34543
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openexr openexr From 3.4.0 (inc) to 3.4.8 (exc)
openexr openexr From 3.2.0 (inc) to 3.2.7 (exc)
openexr openexr From 3.3.0 (inc) to 3.3.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenEXR versions from 3.4.0 up to but not including 3.4.8. It involves the leaking of sensitive information from heap memory through the decoded pixel data when reading a malicious EXR file. The issue occurs under default settings and requires no user interaction beyond simply reading the file.

Impact Analysis

The vulnerability can lead to information disclosure by leaking sensitive data from heap memory when processing a malicious EXR file. This could expose confidential or private information unintentionally, potentially compromising security or privacy.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenEXR to version 3.4.8 or later, where the issue has been patched.

Avoid processing untrusted or malicious EXR files with vulnerable versions of OpenEXR (3.4.0 to before 3.4.8) as simply reading such files can trigger the information disclosure.

Compliance Impact

The vulnerability in OpenEXR allows sensitive information from heap memory to be leaked through decoded pixel data when processing malicious EXR files. This type of information disclosure could potentially lead to unauthorized exposure of personal or sensitive data.

Such unauthorized data exposure may impact compliance with data protection regulations and standards like GDPR and HIPAA, which require organizations to protect sensitive information from leaks and unauthorized access.

However, the provided information does not specify exact compliance impacts or whether the leaked data includes regulated personal information.

Detection Guidance

This vulnerability can be detected by identifying the presence of vulnerable OpenEXR versions (3.4.0 to before 3.4.8) on your system and by monitoring for the processing or opening of maliciously crafted EXR files that exploit the PXR24 decompression function.

Since the issue is triggered simply by reading a malicious EXR file, detection can involve scanning for EXR files that might be malformed or crafted to exploit this vulnerability.

Suggested commands include checking the installed OpenEXR version to ensure it is 3.4.8 or later (patched version):

  • openexr version check (example): `exrheader --version` or `dpkg -l | grep openexr` (on Debian-based systems)
  • Searching for EXR files on your system that could be suspicious: `find /path/to/scan -type f -name '*.exr'`

For active detection, you can attempt to process suspect EXR files in a controlled environment using the vulnerable OpenEXR versions and observe if any abnormal memory reads or crashes occur, but no specific commands for detection of the heap information leak are provided in the resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart