Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-34379
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-06 Apr, 2026 | 16:16
Updated At-07 Apr, 2026 | 19:04

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Type: Secondary
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
CPE Matches
openexr
openexr
>>openexr>>Versions from 3.2.0(inclusive) to 3.2.7(exclusive)
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
openexr
openexr
>>openexr>>Versions from 3.3.0(inclusive) to 3.3.9(exclusive)
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
openexr
openexr
>>openexr>>Versions from 3.4.0(inclusive) to 3.4.9(exclusive)
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-704Secondarysecurity-advisories@github.com
CWE-787Secondarysecurity-advisories@github.com
CWE-843Secondarysecurity-advisories@github.com
CWE ID: CWE-704
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-787
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-843
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7security-advisories@github.com
Product
Release Notes
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9security-advisories@github.com
Product
Release Notes
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9security-advisories@github.com
Product
Release Notes
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vqhq-5p24security-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
Source: security-advisories@github.com
Resource:
Product
Release Notes
Hyperlink: https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
Source: security-advisories@github.com
Resource:
Product
Release Notes
Hyperlink: https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
Source: security-advisories@github.com
Resource:
Product
Release Notes
Hyperlink: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vqhq-5p24
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Change History
0Changes found
Details not found