CVE-2026-34544 Overview
CVE-2026-34544 is an integer overflow vulnerability (CWE-190) in OpenEXR, the specification and reference implementation of the EXR file format widely used in the motion picture industry. The vulnerability exists in versions 3.4.0 through 3.4.7 and allows a crafted B44 or B44A EXR file to trigger an out-of-bounds write when decoded via the exr_decoding_run() function.
Critical Impact
A specially crafted EXR image file can cause memory corruption ranging from immediate application crashes to corruption of adjacent heap allocations, potentially enabling code execution in applications that process untrusted EXR files.
Affected Products
- OpenEXR versions 3.4.0 through 3.4.7
- Applications using OpenEXR library for EXR image decoding
- Software in motion picture, VFX, and digital imaging pipelines that process untrusted EXR files
Discovery Timeline
- 2026-04-01 - CVE-2026-34544 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34544
Vulnerability Analysis
This vulnerability stems from an integer overflow condition in the B44 and B44A image compression codec implementation within OpenEXR. When processing crafted EXR files, the calculation of row offsets in the decompression routine can overflow due to insufficient integer width, causing the resulting pointer arithmetic to produce incorrect memory addresses. This leads to writes outside the bounds of allocated buffer memory.
The B44 and B44A compression formats are designed for high dynamic range (HDR) images and are commonly used in film production workflows. Any application that decodes EXR files using the vulnerable exr_decoding_run() function is susceptible to this issue when processing malicious input files.
Root Cause
The root cause is an integer overflow in the row offset calculation within src/lib/OpenEXRCore/internal_b44.c. The original code computed row offsets using standard integer multiplication (y * nx), which can overflow when processing images with large dimensions. The multiplication result exceeded the maximum value representable by the integer type, wrapping around to a smaller value and causing subsequent pointer arithmetic to reference incorrect memory locations.
Attack Vector
This is a local attack vector requiring user interaction. An attacker must craft a malicious B44 or B44A compressed EXR file with specific dimension parameters designed to trigger the integer overflow. The victim must then open or process this file with an application using a vulnerable version of OpenEXR. Attack scenarios include:
- Malicious EXR files distributed via email or file sharing
- Compromised assets in content pipelines
- User-uploaded images on processing servers
// rightmost column and the bottom row.
//
uint16_t *row0, *row1, *row2, *row3;
+ /* row offset in elements: use uint64_t so y*nx cannot overflow int */
+ uint64_t row_off = (uint64_t) (y) * (uint64_t) (nx);
- row0 = (uint16_t*) scratch;
- row0 += y * nx;
-
- row1 = row0 + nx;
- row2 = row1 + nx;
- row3 = row2 + nx;
+ row0 = (uint16_t*) scratch + row_off;
+ row1 = row0 + (uint64_t) nx;
+ row2 = row1 + (uint64_t) nx;
+ row3 = row2 + (uint64_t) nx;
if (y + 3 >= ny)
{
Source: GitHub Commit 35e7aa35e22c1975606be86e859f31cc1fc598ee
The patch addresses the vulnerability by changing the row_off variable type from an implicit 32-bit integer to an explicit uint64_t. This ensures the multiplication y * nx is performed with 64-bit precision, preventing overflow for any reasonable image dimensions. The subsequent pointer arithmetic also uses uint64_t casts to maintain consistency.
Detection Methods for CVE-2026-34544
Indicators of Compromise
- Application crashes or unexpected termination when opening EXR files
- Memory corruption errors or heap violations in EXR processing applications
- Anomalous EXR files with unusually large dimension parameters in image metadata
- Core dumps or crash reports referencing OpenEXR library functions, particularly exr_decoding_run() or B44/B44A decompression routines
Detection Strategies
- Monitor for application crashes in processes that handle EXR file decoding
- Implement file integrity monitoring for EXR assets in content pipelines
- Deploy endpoint detection to identify exploitation attempts via malformed image files
- Use memory safety tools (AddressSanitizer, Valgrind) during development and testing to detect out-of-bounds writes
Monitoring Recommendations
- Enable crash reporting and telemetry for applications using OpenEXR
- Monitor system logs for segmentation faults in image processing workflows
- Track OpenEXR library version usage across the environment to identify vulnerable deployments
- Implement file validation checks for EXR files from untrusted sources before processing
How to Mitigate CVE-2026-34544
Immediate Actions Required
- Upgrade OpenEXR to version 3.4.8 or later immediately
- Audit applications and dependencies for OpenEXR library usage
- Restrict processing of EXR files from untrusted sources until patches are applied
- Implement sandboxing for applications that process untrusted image files
Patch Information
The vulnerability has been patched in OpenEXR version 3.4.8. The fix modifies the row offset calculation in src/lib/OpenEXRCore/internal_b44.c to use 64-bit integer arithmetic, preventing the integer overflow condition.
- Patched Version:OpenEXR v3.4.8
- Security Advisory:GHSA-h762-rhv3-h25v
- Commit:35e7aa35e22c1975606be86e859f31cc1fc598ee
Workarounds
- Avoid processing B44 or B44A compressed EXR files from untrusted sources until the patch is applied
- Convert untrusted EXR files to alternative formats using patched tools before processing
- Implement process isolation or sandboxing for EXR file processing to limit impact of exploitation
- Use file validation to reject EXR files with anomalous dimension parameters
# Verify OpenEXR version and upgrade
pkg-config --modversion OpenEXR
# For systems using package managers, upgrade to patched version
# Example for systems building from source:
git clone https://github.com/AcademySoftwareFoundation/openexr.git
cd openexr
git checkout v3.4.8
mkdir build && cd build
cmake ..
make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
