Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34545

CVE-2026-34545: OpenEXR RCE Vulnerability

CVE-2026-34545 is a remote code execution vulnerability in OpenEXR affecting versions 3.4.0 to 3.4.6. A heap overflow via crafted EXR files can enable attackers to execute arbitrary code. This article covers technical details, affected versions, impact, and mitigation steps.

Updated:

CVE-2026-34545 Overview

CVE-2026-34545 is a heap buffer overflow vulnerability in OpenEXR, the reference implementation of the EXR image file format used widely in the motion picture industry. The flaw exists in versions 3.4.0 through 3.4.6 and allows an attacker to write controlled data beyond an output heap buffer when decoding a crafted .exr file. Triggering the issue requires HTJ2K compression and a channel width of 32768. Any application that decodes EXR images is affected. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and can lead to remote code execution. The issue is patched in OpenEXR 3.4.7.

Critical Impact

A crafted EXR file processed by a vulnerable decoder can corrupt the heap and lead to arbitrary code execution in the host application.

Affected Products

  • OpenEXR 3.4.0 through 3.4.6
  • Applications and libraries embedding the OpenEXR reference decoder
  • Media and VFX pipelines that parse untrusted .exr assets

Discovery Timeline

  • 2026-04-01 - CVE-2026-34545 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-34545

Vulnerability Analysis

The vulnerability resides in the HTJ2K (High-Throughput JPEG 2000) decompression path within OpenEXR. When the decoder processes a channel declared with a width of 32768, internal buffer sizing calculations fail to bound the output write region. The decoder then writes decompressed pixel data past the end of the allocated heap buffer. Each overflow iteration writes 2 bytes through one code path, or 4 bytes through an alternate path, and continues for every additional pixel beyond the boundary. This produces a controlled, repeating heap write primitive that an attacker can shape by manipulating the input image. Because OpenEXR is embedded across compositing tools, rendering engines, and asset pipelines, the affected surface includes both interactive applications and automated batch processors.

Root Cause

The root cause is improper validation of channel dimensions during HTJ2K decompression. The decoder trusts the declared channel width and allocates output storage based on assumptions that the crafted width of 32768 violates. Subsequent pixel writes proceed past the buffer end, yielding a linear heap overflow.

Attack Vector

Exploitation requires the target to open or process a malicious .exr file. This can occur through user interaction such as opening a file in a viewer or editor, or automatically through render farms, asset ingest services, and thumbnail generators. The CVSS v4.0 vector indicates a local attack vector with user interaction, but the practical reach extends to any workflow that consumes externally supplied EXR content.

No public proof-of-concept exploit code is currently associated with this CVE. Technical mechanics are documented in the GitHub Security Advisory GHSA-ghfj-fx47-wg97 and the fix commit.

Detection Methods for CVE-2026-34545

Indicators of Compromise

  • .exr files declaring HTJ2K compression with a channel width of exactly 32768
  • Crashes or abnormal terminations in processes linking libOpenEXR when handling external image assets
  • Unexpected child processes or shell activity spawned from image viewers, compositors, or render workers

Detection Strategies

  • Inspect EXR headers at the gateway or asset ingest stage and reject files with anomalous channel widths or unsupported compression combinations
  • Monitor processes that load libOpenEXR or OpenEXRCore for heap corruption signatures, including aborts from glibc or AddressSanitizer in test environments
  • Correlate image-processing process crashes with subsequent suspicious process creation to surface post-exploitation behavior

Monitoring Recommendations

  • Track OpenEXR library versions across endpoints, build servers, and render nodes to identify unpatched installations of 3.4.0 through 3.4.6
  • Alert on EXR file submissions originating from untrusted sources to production rendering or content pipelines
  • Capture telemetry from image-handling applications for anomalous memory access patterns and unexpected outbound network connections

How to Mitigate CVE-2026-34545

Immediate Actions Required

  • Upgrade OpenEXR to version 3.4.7 or later on all systems that decode EXR files
  • Inventory third-party applications that bundle OpenEXR and apply vendor updates as they become available
  • Restrict ingestion of .exr files from untrusted sources until patching is complete

Patch Information

The issue is fixed in OpenEXR 3.4.7. The corrective change is available in the upstream commit 3827998f and shipped via the v3.4.7 release. Review the GHSA-ghfj-fx47-wg97 advisory for downstream guidance.

Workarounds

  • Disable or block HTJ2K-compressed EXR processing where the application supports compression selection
  • Pre-filter incoming EXR files to reject any with channel widths of 32768 or other implausible dimensions
  • Process untrusted EXR files inside sandboxed or containerized environments with no network egress and reduced filesystem privileges
bash
# Verify installed OpenEXR version and upgrade
pkg-config --modversion OpenEXR
# Build and install patched release
git clone --branch v3.4.7 https://github.com/AcademySoftwareFoundation/openexr.git
cd openexr && cmake -S . -B build && cmake --build build --target install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.