CVE-2026-34379: OpenEXR Memory Write Vulnerability (3.2.0-3.4.9)
Platform
c
Component
openexr
Fixed in
3.2.7
CVE-2026-34379 describes a misaligned memory write vulnerability found within the OpenEXR library, a specification and reference implementation for the EXR image file format. This flaw occurs during the decoding of DWA or DWAB-compressed EXR files containing FLOAT-type channels, potentially leading to application crashes or exploitation. The vulnerability affects versions 3.2.0 through 3.4.8, inclusive, and a fix is available in version 3.2.7.
How to fix
Actualice la biblioteca OpenEXR a la versión 3.2.7 o superior, 3.3.9 o superior, o 3.4.9 o superior para mitigar la vulnerabilidad. La actualización corrige el error de escritura desalineada en la función LossyDctDecoder_execute, evitando el comportamiento indefinido y posibles fallos.
Frequently asked questions
What is CVE-2026-34379?
CVE-2026-34379 is a memory write vulnerability in OpenEXR. It arises when decoding DWA/DWAB EXR files with FLOAT channels, due to a lack of alignment checks during the conversion process. This can lead to unexpected behavior or crashes.
Am I affected by CVE-2026-34379?
You are potentially affected if you are using OpenEXR versions 3.2.0–>= 3.4.0, < 3.4.9. If you process EXR files with DWA or DWAB compression and FLOAT channels, you should assess your risk and apply the available fix.
How do I fix CVE-2026-34379?
The vulnerability is fixed in OpenEXR version 3.2.7. Upgrade to this version or a later version to mitigate the risk. Ensure you update your dependencies accordingly.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free