Platform
c
Component
openexr
Fixed in
3.4.1
CVE-2026-34378 describes an Integer Overflow vulnerability affecting OpenEXR versions 3.4.0 through 3.4.8. This flaw arises from a missing bounds check within EXR file headers, specifically concerning the dataWindow attribute. Exploitation can lead to a signed integer overflow and subsequent process termination via SIGILL, impacting applications relying on OpenEXR for image processing. A fix is available in version 3.4.9.
An attacker could exploit this Integer Overflow vulnerability by crafting a malicious EXR file with a specifically engineered dataWindow.min.x value. This manipulation triggers an oversized image width calculation, ultimately resulting in a signed integer overflow during a multiplication operation. The resulting SIGILL signal causes the OpenEXR process to crash, potentially disrupting image processing pipelines and related workflows. While not directly leading to data exfiltration or remote code execution, the denial-of-service impact can be significant, especially in critical motion picture production environments where OpenEXR is integral to image storage and manipulation. The vulnerability's reliance on file parsing makes it a potential target for supply chain attacks, where malicious EXR files could be introduced into legitimate workflows.
This vulnerability was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively straightforward to exploit. The CVSS score of 6.5 (MEDIUM) reflects the potential for denial-of-service impact.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34378 is to upgrade to OpenEXR version 3.4.9 or later, which includes the necessary bounds check to prevent the integer overflow. If upgrading is not immediately feasible, consider implementing input validation on EXR files before processing them. This could involve checking the dataWindow attribute for excessively large or negative values. While a WAF or proxy cannot directly mitigate this vulnerability, they can be configured to block suspicious EXR files based on file size or other characteristics. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for SIGILL signals originating from OpenEXR processes could indicate exploitation.
Update to version 3.4.9 or later to mitigate the risk of a signed integer overflow. This update includes a bounds check on the dataWindow attribute, preventing the vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34378 is a medium-severity Integer Overflow vulnerability affecting OpenEXR versions 3.4.0 through 3.4.8. A missing bounds check in EXR file headers can trigger a process crash.
You are affected if you are using OpenEXR versions 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, or 3.4.8. Upgrade to 3.4.9 or later to mitigate the risk.
Upgrade OpenEXR to version 3.4.9 or later. If upgrading is not possible immediately, implement input validation on EXR files before processing.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited.
Refer to the official OpenEXR project website and relevant security mailing lists for updates and advisories related to CVE-2026-34378.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.