CVE-2026-34380

Exploit

EPSS 0.05%
Veröffentlicht 06.04.2026 15:22:40
Zuletzt bearbeitet 07.04.2026 19:03:08
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenEXR has a signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 7

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openexr ≫ Openexr Version >= 3.2.0 < 3.2.7

Openexr ≫ Openexr Version >= 3.3.0 < 3.3.9

Openexr ≫ Openexr Version >= 3.4.0 < 3.4.9

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.163

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.9	1.6	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5

Vendor Advisory

Exploit

https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9

Product

Release Notes

https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7

Product

Release Notes

https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9