CVE-2026-34588: OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic:
wavbuf += nx * ny * wcount;
Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes.
Tested on commit 7820b7e1b93405ba1d551c43a945018226b75bc5
References
- github.com/AcademySoftwareFoundation/openexr
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf
- github.com/advisories/GHSA-588r-cr5c-w6hf
- nvd.nist.gov/vuln/detail/CVE-2026-34588
Code Behaviors & Features
Detect and mitigate CVE-2026-34588 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →