CVE-2026-34588
Signed Integer Overflow in OpenEXR Causes Out-of-Bounds Access
Publication date: 2026-04-06
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openexr | openexr | From 3.3.0 (inc) to 3.3.9 (exc) |
| openexr | openexr | From 3.4.0 (inc) to 3.4.9 (exc) |
| openexr | openexr | From 3.1.0 (inc) to 3.2.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34588 is a high-severity vulnerability in the OpenEXR library's PIZ decoder affecting versions 3.1.0 through 3.4.8. The issue occurs because the function internal_exr_undo_piz() uses signed 32-bit arithmetic to advance a working wavelet pointer by calculating wavbuf += nx * ny * wcount, where nx, ny, and wcount are signed 32-bit integers.
A specially crafted EXR file can cause the multiplication nx * ny * wcount to overflow and wrap around, making the wavbuf pointer point to an incorrect memory address. Since the wavelet decode operates in-place, this results in out-of-bounds reads and writes during the decoding process.
Specifically, the overflow causes the next channel's decode to operate on an incorrect address, leading to heap-buffer-overflow conditions confirmed by memory error detection tools. This can be triggered by EXR files with extremely large dimensions that cause the arithmetic overflow.
How can this vulnerability impact me? :
This vulnerability allows a crafted EXR file to cause out-of-bounds memory access during PIZ decompression, which can lead to process crashes and memory corruption.
Depending on the memory layout, it may also allow more severe exploitation, potentially compromising the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the behavior of the OpenEXR library when processing EXR files, especially those with extremely large dimensions that may cause integer overflow in the wavelet decoding process.
Detection can be performed by running the vulnerable OpenEXR decoder under memory error detection tools such as AddressSanitizer (ASAN) or Valgrind, which have confirmed invalid out-of-bounds reads and writes triggered by crafted EXR files.
Suggested commands include:
- Run the OpenEXR decoder with AddressSanitizer enabled to detect heap-buffer-overflow errors.
- Use Valgrind to monitor the decoder for invalid memory accesses: valgrind --tool=memcheck ./openexr_decoder <crafted_exr_file>
- Check for unusually large or suspicious EXR files with dimensions that could cause integer overflow, for example, width around 67,108,862 and height 32.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the OpenEXR library to a fixed version where this vulnerability is resolved.
- Upgrade to OpenEXR version 3.2.7, 3.3.9, or 3.4.9 or later, where the integer overflow and out-of-bounds access issues have been fixed.
- If upgrading is not immediately possible, avoid processing untrusted or specially crafted EXR files with extremely large dimensions that could trigger the overflow.
- Implement input validation to reject EXR files where the product of width, height, and channel sampling factors could overflow 32-bit signed integers.
- Monitor and restrict local access to the vulnerable decoder to prevent exploitation since the attack vector is local.