CVE-2026-34545 Overview
CVE-2026-34545 is a heap buffer overflow vulnerability in OpenEXR, the reference implementation of the EXR image file format used widely in the motion picture industry. The flaw exists in versions 3.4.0 through 3.4.6 and allows an attacker to write controlled data beyond an output heap buffer when decoding a crafted .exr file. Triggering the issue requires HTJ2K compression and a channel width of 32768. Any application that decodes EXR images is affected. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and can lead to remote code execution. The issue is patched in OpenEXR 3.4.7.
Critical Impact
A crafted EXR file processed by a vulnerable decoder can corrupt the heap and lead to arbitrary code execution in the host application.
Affected Products
- OpenEXR 3.4.0 through 3.4.6
- Applications and libraries embedding the OpenEXR reference decoder
- Media and VFX pipelines that parse untrusted .exr assets
Discovery Timeline
- 2026-04-01 - CVE-2026-34545 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-34545
Vulnerability Analysis
The vulnerability resides in the HTJ2K (High-Throughput JPEG 2000) decompression path within OpenEXR. When the decoder processes a channel declared with a width of 32768, internal buffer sizing calculations fail to bound the output write region. The decoder then writes decompressed pixel data past the end of the allocated heap buffer. Each overflow iteration writes 2 bytes through one code path, or 4 bytes through an alternate path, and continues for every additional pixel beyond the boundary. This produces a controlled, repeating heap write primitive that an attacker can shape by manipulating the input image. Because OpenEXR is embedded across compositing tools, rendering engines, and asset pipelines, the affected surface includes both interactive applications and automated batch processors.
Root Cause
The root cause is improper validation of channel dimensions during HTJ2K decompression. The decoder trusts the declared channel width and allocates output storage based on assumptions that the crafted width of 32768 violates. Subsequent pixel writes proceed past the buffer end, yielding a linear heap overflow.
Attack Vector
Exploitation requires the target to open or process a malicious .exr file. This can occur through user interaction such as opening a file in a viewer or editor, or automatically through render farms, asset ingest services, and thumbnail generators. The CVSS v4.0 vector indicates a local attack vector with user interaction, but the practical reach extends to any workflow that consumes externally supplied EXR content.
No public proof-of-concept exploit code is currently associated with this CVE. Technical mechanics are documented in the GitHub Security Advisory GHSA-ghfj-fx47-wg97 and the fix commit.
Detection Methods for CVE-2026-34545
Indicators of Compromise
- .exr files declaring HTJ2K compression with a channel width of exactly 32768
- Crashes or abnormal terminations in processes linking libOpenEXR when handling external image assets
- Unexpected child processes or shell activity spawned from image viewers, compositors, or render workers
Detection Strategies
- Inspect EXR headers at the gateway or asset ingest stage and reject files with anomalous channel widths or unsupported compression combinations
- Monitor processes that load libOpenEXR or OpenEXRCore for heap corruption signatures, including aborts from glibc or AddressSanitizer in test environments
- Correlate image-processing process crashes with subsequent suspicious process creation to surface post-exploitation behavior
Monitoring Recommendations
- Track OpenEXR library versions across endpoints, build servers, and render nodes to identify unpatched installations of 3.4.0 through 3.4.6
- Alert on EXR file submissions originating from untrusted sources to production rendering or content pipelines
- Capture telemetry from image-handling applications for anomalous memory access patterns and unexpected outbound network connections
How to Mitigate CVE-2026-34545
Immediate Actions Required
- Upgrade OpenEXR to version 3.4.7 or later on all systems that decode EXR files
- Inventory third-party applications that bundle OpenEXR and apply vendor updates as they become available
- Restrict ingestion of .exr files from untrusted sources until patching is complete
Patch Information
The issue is fixed in OpenEXR 3.4.7. The corrective change is available in the upstream commit 3827998f and shipped via the v3.4.7 release. Review the GHSA-ghfj-fx47-wg97 advisory for downstream guidance.
Workarounds
- Disable or block HTJ2K-compressed EXR processing where the application supports compression selection
- Pre-filter incoming EXR files to reject any with channel widths of 32768 or other implausible dimensions
- Process untrusted EXR files inside sandboxed or containerized environments with no network egress and reduced filesystem privileges
# Verify installed OpenEXR version and upgrade
pkg-config --modversion OpenEXR
# Build and install patched release
git clone --branch v3.4.7 https://github.com/AcademySoftwareFoundation/openexr.git
cd openexr && cmake -S . -B build && cmake --build build --target install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
