CVE-2026-34543
Information Disclosure in OpenEXR 3.4.0β3.4.7 via Malicious EXR Files
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openexr | openexr | From 3.4.0 (inc) to 3.4.8 (exc) |
| openexr | openexr | From 3.2.0 (inc) to 3.2.7 (exc) |
| openexr | openexr | From 3.3.0 (inc) to 3.3.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying the presence of vulnerable OpenEXR versions (3.4.0 to before 3.4.8) on your system and by monitoring for the processing or opening of maliciously crafted EXR files that exploit the PXR24 decompression function.
Since the issue is triggered simply by reading a malicious EXR file, detection can involve scanning for EXR files that might be malformed or crafted to exploit this vulnerability.
Suggested commands include checking the installed OpenEXR version to ensure it is 3.4.8 or later (patched version):
- openexr version check (example): `exrheader --version` or `dpkg -l | grep openexr` (on Debian-based systems)
- Searching for EXR files on your system that could be suspicious: `find /path/to/scan -type f -name '*.exr'`
For active detection, you can attempt to process suspect EXR files in a controlled environment using the vulnerable OpenEXR versions and observe if any abnormal memory reads or crashes occur, but no specific commands for detection of the heap information leak are provided in the resources.
Can you explain this vulnerability to me?
This vulnerability exists in OpenEXR versions from 3.4.0 up to but not including 3.4.8. It involves the leaking of sensitive information from heap memory through the decoded pixel data when reading a malicious EXR file. The issue occurs under default settings and requires no user interaction beyond simply reading the file.
How can this vulnerability impact me? :
The vulnerability can lead to information disclosure by leaking sensitive data from heap memory when processing a malicious EXR file. This could expose confidential or private information unintentionally, potentially compromising security or privacy.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenEXR to version 3.4.8 or later, where the issue has been patched.
Avoid processing untrusted or malicious EXR files with vulnerable versions of OpenEXR (3.4.0 to before 3.4.8) as simply reading such files can trigger the information disclosure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenEXR allows sensitive information from heap memory to be leaked through decoded pixel data when processing malicious EXR files. This type of information disclosure could potentially lead to unauthorized exposure of personal or sensitive data.
Such unauthorized data exposure may impact compliance with data protection regulations and standards like GDPR and HIPAA, which require organizations to protect sensitive information from leaks and unauthorized access.
However, the provided information does not specify exact compliance impacts or whether the leaked data includes regulated personal information.