CVE-2026-34544: OpenEXR: integer overflow to OOB write in uncompress_b44_impl()
The B44/B44A decoder in OpenEXR reconstructs row pointers into a scratch buffer using int. When the channel width (nx) is large enough, the product y * nx overflows int, causing the row pointer to wrap before the start of the scratch buffer. Subsequent memcpy() calls then write decoded pixel blocks to an invalid address, producing an active out-of-bounds write.
References
- github.com/AcademySoftwareFoundation/openexr
- github.com/AcademySoftwareFoundation/openexr/commit/35e7aa35e22c1975606be86e859f31cc1fc598ee
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h762-rhv3-h25v
- github.com/advisories/GHSA-h762-rhv3-h25v
- nvd.nist.gov/vuln/detail/CVE-2026-34544
Code Behaviors & Features
Detect and mitigate CVE-2026-34544 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →