CVE-2026-34545
Published: 01 April 2026
Summary
CVE-2026-34545 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Openexr Openexr. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws such as the heap buffer overflow in OpenEXR versions 3.4.0-3.4.6 by applying patches like version 3.4.7.
Implements memory protections like ASLR and DEP to mitigate exploitation of the controlled heap overflow primitive leading to RCE.
Enforces validation of EXR file inputs to reject crafted files with invalid HTJ2K compression or channel width of 32768 before decoding.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in OpenEXR image decoding enables RCE when a user opens a malicious .exr file, directly mapping to exploitation for client execution (T1203) via a malicious file (T1204.002).
NVD Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a…
more
channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.
Deeper analysisAI
CVE-2026-34545 is a heap-based buffer overflow vulnerability (CWE-122) combined with an integer overflow (CWE-190) in the OpenEXR library, which provides the specification and reference implementation for the EXR image file format used in the motion picture industry. The issue affects versions 3.4.0 through 3.4.6 and occurs when decoding a specially crafted .exr file that uses HTJ2K compression with a channel width of 32768 pixels. This triggers controlled writes beyond the output heap buffer, with a primitive of 2 bytes per overflow iteration (or 4 bytes via an alternate path), repeating for each additional pixel past the overflow point. Any application that processes or decodes EXR images using the vulnerable OpenEXR library is at risk.
An attacker with local access (AV:L) and low privileges (PR:L) can exploit this vulnerability by convincing a user (UI:R) to open the malicious .exr file in a vulnerable application. Successful exploitation enables controlled heap writes, which can lead to remote code execution on impacted systems, with high impacts on confidentiality, integrity, and availability (CVSS 7.3). The scoped impact remains unchanged (S:U), making it suitable for privilege escalation or arbitrary code execution in local contexts such as image viewers, editors, or rendering software.
The vulnerability has been addressed in OpenEXR version 3.4.7, as detailed in the project's security advisory (GHSA-ghfj-fx47-wg97), release notes, and the patching commit (3827998f5c041d6a94c6af24bbb363daa669e4b3). Security practitioners should update to 3.4.7 or later and audit dependencies in applications handling EXR files for the vulnerable range.
Details
- CWE(s)