JLSEC-2026-143
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Julia | OpenEXR_jll | 3.1.4+0, 3.1.4+0 |
Timeline
- Apr 17, 2026 CVE Published
- Apr 17, 2026 CVE Updated
References
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 url
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 url
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 url
- https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vqhq-5p24 url