Platform
c
Component
openexr
Fixed in
3.2.1
3.3.1
3.4.1
CVE-2026-34379 describes a memory corruption vulnerability discovered in OpenEXR, a library for handling EXR image files. This flaw stems from a misaligned memory write within the LossyDctDecoder_execute() function during the decoding of DWA or DWAB-compressed EXR files containing FLOAT-type channels. Affected versions include OpenEXR 3.2.0 through 3.4.8. A fix is available in version 3.2.7.
An attacker could exploit this vulnerability by crafting a malicious EXR file containing a specially crafted DWA or DWAB-compressed FLOAT-type channel. When OpenEXR attempts to decode this file, the misaligned memory write could lead to arbitrary code execution. The impact is significant, as an attacker could potentially gain control of the system processing the malicious image. This could involve data theft, system compromise, or further exploitation of other vulnerabilities on the affected system. The vulnerability’s impact is amplified in environments where EXR files are frequently processed, such as motion picture production pipelines or image processing applications.
This vulnerability was publicly disclosed on 2026-04-06. Currently, there are no known active campaigns exploiting this specific CVE. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.1 indicates a HIGH severity, suggesting a reasonable likelihood of exploitation if a PoC is developed and made public.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34379 is to upgrade to OpenEXR version 3.2.7 or later. If upgrading is not immediately feasible, consider implementing input validation to reject EXR files with suspicious DWA or DWAB compression or FLOAT-type channels. While not a complete solution, this can reduce the attack surface. Additionally, monitor system logs for unusual memory access patterns or crashes related to OpenEXR. There are no specific WAF rules or detection signatures readily available, so focusing on patching is crucial. After upgrading, confirm the fix by attempting to decode a known malicious EXR file (if available) or by running a thorough system scan.
Update the OpenEXR library to version 3.2.7 or higher, 3.3.9 or higher, or 3.4.9 or higher to mitigate the vulnerability. The update corrects the misaligned write error in the LossyDctDecoder_execute function, preventing undefined behavior and potential crashes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34379 is a HIGH severity memory corruption vulnerability in OpenEXR versions 3.2.0 through 3.4.8, allowing potential code execution via a malformed EXR file.
You are affected if you are using OpenEXR versions 3.2.0 through 3.4.8. Check your installed version and upgrade if necessary.
Upgrade to OpenEXR version 3.2.7 or later to resolve this vulnerability. If immediate upgrade is not possible, implement input validation for EXR files.
Currently, there are no confirmed reports of active exploitation, but the HIGH severity score suggests a potential risk.
Refer to the OpenEXR project's security advisories and release notes for the latest information: [https://www.openexr.org/](https://www.openexr.org/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.