{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-34589","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-30T17:15:52.498Z","datePublished":"2026-04-06T15:33:03.276Z","dateUpdated":"2026-06-30T12:09:12.431Z"},"containers":{"cna":{"title":"OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write","problemTypes":[{"descriptions":[{"cweId":"CWE-190","lang":"en","description":"CWE-190: Integer Overflow or Wraparound","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-787","lang":"en","description":"CWE-787: Out-of-bounds Write","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.4,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x","tags":["x_refsource_CONFIRM"],"url":"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x"},{"name":"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7","tags":["x_refsource_MISC"],"url":"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7"},{"name":"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9","tags":["x_refsource_MISC"],"url":"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9"},{"name":"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9","tags":["x_refsource_MISC"],"url":"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9"}],"affected":[{"vendor":"AcademySoftwareFoundation","product":"openexr","versions":[{"version":">= 3.2.0, < 3.2.7","status":"affected"},{"version":">= 3.3.0, < 3.3.9","status":"affected"},{"version":">= 3.4.0, < 3.4.9","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-04-07T03:08:13.554Z"},"descriptions":[{"lang":"en","value":"OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9."}],"source":{"advisory":"GHSA-p8xc-w3q4-h64x","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-07T03:56:05.730658Z","id":"CVE-2026-34589","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-07T13:05:41.117Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"}],"datePublic":"2026-04-06T15:33:03.276Z","descriptions":[{"lang":"en","value":"A flaw was found in OpenEXR. The DWA lossy decoder, responsible for processing EXR image files, incorrectly handles large image widths. This occurs because temporary block pointers are constructed using signed 32-bit arithmetic, which can overflow. A remote attacker could exploit this by providing a specially crafted EXR file, leading to memory corruption and potentially arbitrary code execution or denial of service."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-190","description":"Integer Overflow or Wraparound","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-34589"},{"name":"RHBZ#2455411","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455411"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34589.json"}],"timeline":[{"lang":"en","time":"2026-04-06T16:02:50.076Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-06T15:33:03.276Z","value":"Made public."}],"title":"OpenEXR: OpenEXR: Memory corruption leading to arbitrary code execution or denial of service","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:09:12.431Z"}}]}}