CVE-2026-34588
Received Received - Intake
Signed Integer Overflow in OpenEXR Causes Out-of-Bounds Access

Publication date: 2026-04-06

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34588
EUVD
EUVD-2026-19347
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openexr openexr From 3.3.0 (inc) to 3.3.9 (exc)
openexr openexr From 3.4.0 (inc) to 3.4.9 (exc)
openexr openexr From 3.1.0 (inc) to 3.2.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34588 is a high-severity vulnerability in the OpenEXR library's PIZ decoder affecting versions 3.1.0 through 3.4.8. The issue occurs because the function internal_exr_undo_piz() uses signed 32-bit arithmetic to advance a working wavelet pointer by calculating wavbuf += nx * ny * wcount, where nx, ny, and wcount are signed 32-bit integers.

A specially crafted EXR file can cause the multiplication nx * ny * wcount to overflow and wrap around, making the wavbuf pointer point to an incorrect memory address. Since the wavelet decode operates in-place, this results in out-of-bounds reads and writes during the decoding process.

Specifically, the overflow causes the next channel's decode to operate on an incorrect address, leading to heap-buffer-overflow conditions confirmed by memory error detection tools. This can be triggered by EXR files with extremely large dimensions that cause the arithmetic overflow.

Impact Analysis

This vulnerability allows a crafted EXR file to cause out-of-bounds memory access during PIZ decompression, which can lead to process crashes and memory corruption.

Depending on the memory layout, it may also allow more severe exploitation, potentially compromising the affected system.

Detection Guidance

This vulnerability can be detected by analyzing the behavior of the OpenEXR library when processing EXR files, especially those with extremely large dimensions that may cause integer overflow in the wavelet decoding process.

Detection can be performed by running the vulnerable OpenEXR decoder under memory error detection tools such as AddressSanitizer (ASAN) or Valgrind, which have confirmed invalid out-of-bounds reads and writes triggered by crafted EXR files.

Suggested commands include:

  • Run the OpenEXR decoder with AddressSanitizer enabled to detect heap-buffer-overflow errors.
  • Use Valgrind to monitor the decoder for invalid memory accesses: valgrind --tool=memcheck ./openexr_decoder <crafted_exr_file>
  • Check for unusually large or suspicious EXR files with dimensions that could cause integer overflow, for example, width around 67,108,862 and height 32.
Mitigation Strategies

Immediate mitigation steps include updating the OpenEXR library to a fixed version where this vulnerability is resolved.

  • Upgrade to OpenEXR version 3.2.7, 3.3.9, or 3.4.9 or later, where the integer overflow and out-of-bounds access issues have been fixed.
  • If upgrading is not immediately possible, avoid processing untrusted or specially crafted EXR files with extremely large dimensions that could trigger the overflow.
  • Implement input validation to reject EXR files where the product of width, height, and channel sampling factors could overflow 32-bit signed integers.
  • Monitor and restrict local access to the vulnerable decoder to prevent exploitation since the attack vector is local.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart