CVE-2026-34543
HIGHOpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
Title source: cnaDescription
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/commit/5f6d0aaa9e43802917af7db90f181e88e083d3b8
X_Refsource_Misc x_refsource_misc
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8
Scores
CVSS v3
7.5
EPSS
0.0048
EPSS Percentile
37.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-908
Status
published
Products (3)
AcademySoftwareFoundation/openexr
>= 3.4.0, < 3.4.8
openexr/openexr
3.2.0 - 3.2.7
pypi/openexr
3.4.0 - 3.4.8PyPI
Published
Apr 01, 2026
Tracked Since
Apr 02, 2026