Buffer overflow in Academysoftwarefoundation Openexr

CVE-2026-34589

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-c…

Vulnerability class: Integer Overflow

EPSS: 0.000 (1.4th percentile) — read the EPSS interpretation.

Affected products

Academysoftwarefoundation Openexr — versions >= 3.2.0, < 3.2.7, >= 3.3.0, < 3.3.9, >= 3.4.0, < 3.4.9

Weakness classification (CWE)

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x (x_refsource_CONFIRM)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 (x_refsource_MISC)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 (x_refsource_MISC)
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 (x_refsource_MISC)