CVE-2026-34588
Published: 06 April 2026
Summary
CVE-2026-34588 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Openexr Openexr. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, prioritization, and patching of known software flaws like the integer overflow in OpenEXR's internal_exr_undo_piz() function.
Implements memory safeguards such as ASLR, DEP, and stack canaries to prevent exploitation of out-of-bounds reads and writes caused by the pointer wraparound.
Mandates validation of information inputs like crafted EXR files to reject malformed data that triggers the signed 32-bit arithmetic overflow in wavelet decoding.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local integer overflow in OpenEXR file parsing library allows low-privileged local attacker to supply crafted EXR file triggering OOB read/write and arbitrary code execution or high-impact effects without user interaction, directly enabling exploitation for privilege escalation.
NVD Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because…
more
nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.
Deeper analysisAI
CVE-2026-34588 is an integer overflow vulnerability in the OpenEXR library, which provides the specification and reference implementation for the EXR image file format used in the motion picture industry. The issue affects versions from 3.1.0 up to but not including 3.2.7, 3.3.9, and 3.4.9. Specifically, the function internal_exr_undo_piz() performs signed 32-bit arithmetic to advance a working wavelet pointer using values nx, ny, and wcount, which are of type int. A crafted EXR file can trigger an overflow, causing the pointer to wrap and point to an incorrect address. Since the wavelet decode path operates in place, this results in out-of-bounds reads and writes. The vulnerability is associated with CWE-125 (Out-of-bounds Read), CWE-190 (Integer Overflow or Wraparound), and CWE-787 (Out-of-bounds Write), and carries a CVSS v3.1 base score of 7.8.
An attacker with local access and low privileges (PR:L) can exploit this vulnerability by supplying a maliciously crafted EXR file to an affected OpenEXR instance, with low attack complexity and no user interaction required. Successful exploitation leads to high-impact confidentiality, integrity, and availability consequences (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or denial of service through out-of-bounds memory access in the decoding process.
Mitigation is available via patches released by the Academy Software Foundation. Vendors and users should update to OpenEXR version 3.2.7, 3.3.9, or 3.4.9, as detailed in the corresponding GitHub release notes and the security advisory at GHSA-588r-cr5c-w6hf.
Details
- CWE(s)