Signed Integer Overflow Vulnerability in OpenEXR by Academy Software Foundation
CVE-2026-34380

5.9MEDIUM

Key Information:

Vendor: Academysoftwarefoundation
Status: Openexr
Vendor: CVE Published:; 6 April 2026

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2026-34380?

A signed integer overflow vulnerability exists in OpenEXR's undo_pxr24_impl() function that can lead to buffer overflows. When processing large width values, the multiplication of width by 3 is performed as a signed 32-bit integer. This mathematical operation can result in undefined behavior, allowing the bounds check to fail and leading to potential memory corruption beyond the allocated output buffer. The issue has been resolved in versions 3.2.7, 3.3.9, and 3.4.9, and users are urged to update to these versions promptly.

Affected Version(s)

openexr >= 3.2.0, < 3.2.7 < 3.2.0, 3.2.7

openexr >= 3.3.0, < 3.3.9 < 3.3.0, 3.3.9

openexr >= 3.4.0, < 3.4.9 < 3.4.0, 3.4.9

References

https://github.com/AcademySoftwareFoundation/openexr/secu...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34380 Data

JSON