VDB

CVE-2026-34589

CVE-2026-34589 PUBLISHED CVSS 8.399999618530273 HIGH

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

EPSS 0.01% · 1.4th percentile

Risk Scores

CVSS v4.0
8.399999618530273
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.01%
1.4th percentile

Affected Products

VendorProductVersions
AcademySoftwareFoundationopenexr>= 3.2.0, < 3.2.7, >= 3.4.0, < 3.4.9, *

Timeline

  • Apr 5, 2026 PoC Published
  • Apr 6, 2026 CVE Published
  • Apr 7, 2026 CVE Updated
  • Apr 9, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›