CVE-2026-34543
Published: 01 April 2026
Summary
CVE-2026-34543 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Openexr Openexr. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of flaws such as the heap memory disclosure in vulnerable OpenEXR library versions.
Mandates validation of inputs like malicious EXR files to block processing that triggers the heap information leak.
Implements memory safeguards such as randomization to protect against unauthorized disclosure of heap data through decoded pixel output.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote information disclosure triggered by supplying a crafted EXR file to an application using the vulnerable library for image processing, with network attack vector and no user interaction required, directly enabling exploitation of public-facing applications.
NVD Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel…
more
data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.
Deeper analysisAI
CVE-2026-34543 is an information disclosure vulnerability (CWE-908) affecting the OpenEXR library, which provides the specification and reference implementation for the EXR file format used in the motion picture industry for image storage. Versions from 3.4.0 up to but not including 3.4.8 are vulnerable, where sensitive information from heap memory can leak through the decoded pixel data of a malicious EXR file. The issue triggers under default settings simply by reading the file, requiring no additional user interaction. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Any remote attacker can exploit this vulnerability by supplying a crafted EXR file to a victim application that uses the affected OpenEXR versions for image processing. Exploitation requires no privileges or user interaction beyond opening the file, making it suitable for drive-by scenarios in image viewers, editors, or rendering software. Successful exploitation leaks confidential data from the application's heap memory embedded in the pixel output, potentially exposing sensitive information like keys, tokens, or memory artifacts without impacting integrity or availability.
The OpenEXR project has addressed this in version 3.4.8, as detailed in the security advisory (GHSA-vc68-257w-m432), release notes, and patching commit (5f6d0aaa9e43802917af7db90f181e88e083d3b8). Security practitioners should update to 3.4.8 or later and audit dependencies in software handling EXR files, such as graphics tools or VFX pipelines.
Details
- CWE(s)