CVE-2026-34378: OpenEXR Integer Overflow (3.4.0-3.4.9)
Platform
c
Component
openexr
Fixed in
3.4.9
CVE-2026-34378 is an Integer Overflow vulnerability discovered in OpenEXR, a library for handling the EXR image file format. Exploitation involves crafting a malicious EXR file with a specific dataWindow attribute that triggers an overflow during image width calculation, ultimately causing a SIGILL termination. This vulnerability affects OpenEXR versions 3.4.0 up to, but not including, 3.4.9. A patch is available in version 3.4.9.
How to fix
Actualice a la versión 3.4.9 o posterior para mitigar el riesgo de un desbordamiento de enteros con signo. Esta actualización incluye una verificación de límites en el atributo dataWindow, previniendo la vulnerabilidad.
Frequently asked questions
What is CVE-2026-34378?
CVE-2026-34378 is an Integer Overflow vulnerability in OpenEXR. A specially crafted EXR file can cause a signed integer overflow, leading to a program crash (SIGILL). It resides in the handling of the dataWindow attribute within EXR file headers.
Am I affected by CVE-2026-34378?
You are potentially affected if you are using OpenEXR versions 3.4.0 through 3.4.8. Versions prior to 3.4.0 are not affected, and version 3.4.9 contains a fix.
How do I fix CVE-2026-34378?
Upgrade to OpenEXR version 3.4.9 or later to resolve this vulnerability. This version includes a bounds check that prevents the integer overflow from occurring.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free