CVE-2026-34589: OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
The DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store.
This bug is reachable from the public decoder path and can be reproduced through the shipped exrcheck tool with a crafted scanline DWAA file. The confirmed dynamic symptom is a write-side crash in the lossy DCT execution path.
Tested on commit: 7820b7e1b93405ba1d551c43a945018226b75bc5
References
- github.com/AcademySoftwareFoundation/openexr
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x
- github.com/advisories/GHSA-p8xc-w3q4-h64x
- nvd.nist.gov/vuln/detail/CVE-2026-34589
Code Behaviors & Features
Detect and mitigate CVE-2026-34589 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →