OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34588.json
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
https://bugzilla.redhat.com/show_bug.cgi?id=2455408
https://access.redhat.com/security/cve/CVE-2026-34588
https://access.redhat.com/errata/RHSA-2026:30089
https://access.redhat.com/errata/RHSA-2026:30088
https://access.redhat.com/errata/RHSA-2026:30087
https://access.redhat.com/errata/RHSA-2026:30078
https://access.redhat.com/errata/RHSA-2026:19587
https://access.redhat.com/errata/RHSA-2026:19359
https://access.redhat.com/errata/RHSA-2026:19146
https://access.redhat.com/errata/RHSA-2026:17660
https://access.redhat.com/errata/RHSA-2026:17659
https://access.redhat.com/errata/RHSA-2026:17658
https://access.redhat.com/errata/RHSA-2026:17656
Published: 2026-04-06
Updated: 2026-06-30
Base Score: 6.8
Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C
Severity: Medium
Base Score: 7.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: High
Base Score: 8.6
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Severity: High
EPSS: 0.00014