Memory Write Vulnerability in OpenEXR Image Processing Software by Academy Software Foundation
CVE-2026-34379

7.1HIGH

Key Information:

Vendor: Academysoftwarefoundation
Status: Openexr
Vendor: CVE Published:; 6 April 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-34379?

OpenEXR, an image storage format widely used in the motion picture industry, has a memory write vulnerability affecting several versions. This issue arises from a misaligned memory write in the LossyDctDecoder_execute function during the processing of DWA or DWAB-compressed EXR files with FLOAT-type channels. The decoder improperly casts an unaligned pointer to a FLOAT type, leading to undefined behavior on systems that mandate memory alignment. While this can cause immediate crashes on architectures like ARM and RISC-V, it may be silently tolerated on x86 architectures, making it exploitable through compiler optimizations. The vulnerability has been addressed in versions 3.2.7, 3.3.9, and 3.4.9.

Affected Version(s)

openexr >= 3.2.0, < 3.2.7 < 3.2.0, 3.2.7

openexr >= 3.3.0, < 3.3.9 < 3.3.0, 3.3.9

openexr >= 3.4.0, < 3.4.9 < 3.4.0, 3.4.9

References

https://github.com/AcademySoftwareFoundation/openexr/secu...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34379 Data

JSON