CVE-2026-34380

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undopxr24impl() in src/lib/OpenEXRCore/internalpxr24.c at line 377. The expression (uint64t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34380.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-190",
        "CWE-787"
    ]
}

References

Affected packages

Git / github.com/academysoftwarefoundation/openexr

Affected ranges

Type: GIT
Repo: https://github.com/academysoftwarefoundation/openexr
Events: Introduced

20a65852895894434bea88613f6d29ac8e88bd6e

Fixed

b5fa98ac6b5fc660c0295123c1d02bbf687dbec3

Affected versions

v3.*

v3.4.0

v3.4.1

v3.4.1-rc

v3.4.1-rc2

v3.4.2

v3.4.2-rc

v3.4.2-rc2

v3.4.3

v3.4.3-rc

v3.4.3-rc2

v3.4.3-rc3

v3.4.4

v3.4.4-rc

v3.4.4-rc2

v3.4.5

v3.4.5-rc

v3.4.6

v3.4.6-rc

v3.4.7

v3.4.7-rc

v3.4.8

v3.4.8-rc

v3.4.9-rc

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34380.json"