CVE-2026-34379
Published: 06 April 2026
Summary
CVE-2026-34379 is a high-severity Incorrect Type Conversion or Cast (CWE-704) vulnerability in Openexr Openexr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, prioritization, and remediation of software flaws like CVE-2026-34379 by patching vulnerable OpenEXR versions to 3.2.7, 3.3.9, or 3.4.9.
Enables automated vulnerability scanning to detect systems using vulnerable OpenEXR library versions affected by the misaligned memory write issue.
Provides memory protections such as ASLR and DEP to mitigate potential exploitation of the undefined behavior from unaligned float writes on x86 systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption vulnerability in client-side image decoding library (OpenEXR) exploited via crafted file requiring user interaction, directly enabling exploitation for client execution.
NVD Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When…
more
decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Deeper analysisAI
CVE-2026-34379 is a misaligned memory write vulnerability in the OpenEXR library, which provides the specification and reference implementation for the EXR file format used in the motion picture industry for image storage. The issue resides in the LossyDctDecoder_execute() function at src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file with a FLOAT-type channel, the decoder performs an in-place HALF-to-FLOAT conversion by casting an unaligned uint8_t* row pointer to float* and writing through it. This results in undefined behavior under the C standard because the row buffer may not be 4-byte aligned, leading to immediate crashes on architectures enforcing alignment such as ARM and RISC-V. On x86, it is tolerated at runtime but remains exploitable due to compiler optimizations assuming aligned access. Affected versions range from 3.2.0 up to but not including 3.2.7, 3.3.9, and 3.4.9. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H) and is associated with CWEs 704 (Incorrect Type Conversion or Cast), 787 (Out-of-bounds Write), and 843 (Access of Resource Using Incompatible Type).
An attacker can exploit this vulnerability remotely with low complexity and no privileges by tricking a user into opening a specially crafted DWA or DWAB-compressed EXR file containing a FLOAT-type channel. User interaction is required, such as processing the file in an application that uses vulnerable OpenEXR versions for decoding. Successful exploitation triggers undefined behavior, typically causing application crashes due to the misaligned write, which disrupts availability with high impact. On x86 systems, it may enable further code execution or memory corruption via compiler optimizations, with low integrity impact but no confidentiality loss.
Mitigation is available through patches released by the Academy Software Foundation. Vulnerable versions should be upgraded to OpenEXR 3.2.7, 3.3.9, or 3.4.9, with corresponding release notes and binaries provided on GitHub. Additional details are documented in the project's security advisory at GHSA-w88v-vqhq-5p24.
Details
- CWE(s)