Detections
Analytics

Amazon Linux 2023 : openexr, openexr-devel, openexr-libs (ALAS2023-2026-1612)

high Nessus Plugin ID 311329

Synopsis

The remote Amazon Linux 2023 host is missing a security update.

Description

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1612 advisory.

 OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a signed integer overflow in generic_unpack(). By setting dataWindow.min.x to a large negative value, OpenEXRCore computes an enormous image width, which is later used in a signed integer multiplication that overflows, causing the process to terminate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9. (CVE-2026-34378)

 OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
 (CVE-2026-34380)

 OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of- bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
 (CVE-2026-34588)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'dnf update openexr --releasever 2023.11.20260427' or or 'dnf update --advisory ALAS2023-2026-1612 --releasever 2023.11.20260427' to update your system.

See Also

https://alas.aws.amazon.com//AL2023/ALAS2023-2026-1612.html

https://alas.aws.amazon.com/faqs.html

https://explore.alas.aws.amazon.com/CVE-2026-34378.html

https://explore.alas.aws.amazon.com/CVE-2026-34380.html

https://explore.alas.aws.amazon.com/CVE-2026-34588.html

Plugin Details

Severity: High

ID: 311329

File Name: al2023_ALAS2023-2026-1612.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 4/30/2026

Updated: 4/30/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-34588

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 7.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:openexr-debugsource, p-cpe:/a:amazon:linux:openexr-devel, p-cpe:/a:amazon:linux:openexr-libs, p-cpe:/a:amazon:linux:openexr-libs-debuginfo, p-cpe:/a:amazon:linux:openexr-debuginfo, p-cpe:/a:amazon:linux:openexr, cpe:/o:amazon:linux:2023

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/30/2026

Vulnerability Publication Date: 4/2/2026

Reference Information

CVE: CVE-2026-34378, CVE-2026-34380, CVE-2026-34588

IAVA: 2026-A-0295