Zero Day MonitorZDM

← Back to list

7.8

CVE-2026-34588EXPLOITEDPATCHED

openexr · openexr

OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

Affected Products

Vendor	Product	Versions
openexr	openexr	pip/OpenEXR: >= 3.1.0, < 3.2.7, pip/OpenEXR: >= 3.3.0, < 3.3.9, pip/OpenEXR: >= 3.4.0, < 3.4.9

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
pip	openexr	GHSA	85%
red hat	enterprise linux	cert_advisory	90%

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf(x_refsource_CONFIRM)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7(x_refsource_MISC)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9(x_refsource_MISC)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9(x_refsource_MISC)

Related News (2 articles)

Tier B

BSI Advisories9h ago

[NEU] [hoch] Red Hat Enterprise Linux (openEXR): Schwachstelle ermöglicht Codeausführung

→ No new info (linked only)

Tier C

VulDB35d ago

CVE-2026-34588 | AcademySoftwareFoundation OpenEXR up to 3.1.13/3.2.6/3.3.8/3.4.8 EXR File Parser internal_exr_undo_piz out-of-bounds (GHSA-588r-cr5c-w6hf)

→ No new info (linked only)

CVSS 3.17.8 CRITICAL

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

OpenEXR@3.2.7OpenEXR@3.3.9OpenEXR@3.4.9

CWECWE-125, CWE-190, CWE-787

PublishedApr 6, 2026

Last enriched9h agov3

Tags

code execution

Trending Score63

Source articles2

Independent2

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-42216EXP

OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion

MEDIUMCVE-2026-39886EXP

OpenEXR has HTJ2K Signed Integer Overflow in ht_undo_impl()

NONECVE-2026-40244EXP

OpenEXR has integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (missed variant of CVE-2026-34589)

NONECVE-2026-40250EXP

OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

HIGHCVE-2026-34379

OpenEXR has a misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 6, 2026

Discovered by ZDM

Apr 6, 2026

Updated: severity, affectedVersions, activelyExploited

Apr 6, 2026

Actively Exploited

Apr 7, 2026

Exploit Available

Apr 7, 2026

Patch Available

Apr 7, 2026

Updated: severity, exploitAvailable, tags

May 11, 2026

Version History

v3

Last enriched 9h ago

v3Tier B9h ago

Updated vendor to Red Hat, product to Red Hat Enterprise Linux (openEXR), changed severity to CRITICAL, and marked exploit as available.

severityexploitAvailabletags

via BSI Advisories

v2Tier C35d ago

Updated severity to HIGH, added affected versions up to 3.2.6, 3.3.8, and 3.4.8, and noted that no exploit is available.

severityaffectedVersionsactivelyExploited

via VulDB

v135d ago

Initial creation