Out-of-bounds Read in Academysoftwarefoundation Openexr

CVE-2026-34588

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wav…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (1.3th percentile) — read the EPSS interpretation.

Affected products

Academysoftwarefoundation Openexr — versions >= 3.1.0, <= 3.1.13, >= 3.2.0, < 3.2.7, >= 3.3.0, < 3.3.9

Weakness classification (CWE)

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf (x_refsource_CONFIRM)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 (x_refsource_MISC)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 (x_refsource_MISC)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 (x_refsource_MISC)