PyPI: openexr
CVE-2026-34543
Safety vulnerability ID: SFTY-20260403-56831
Safety legacy ID: pyup.io-91736
Affected versions of the openexr package are vulnerable to Information Disclosure due to the undo_pxr24_impl() function in internal_pxr24.c ignoring the actual decompressed size returned by exr_uncompress_buffer() and instead reading from the scratch buffer based on the header-derived expected size, combined with exr_uncompress_buffer() in compression.c treating LIBDEFLATE_SHORT_OUTPUT as a successful result rather than an error. When a crafted PXR24 EXR file contains a valid but truncated zlib stream, the decompressor writes fewer bytes than expected to the scratch buffer while the subsequent byte-plane reconstruction loop reads the full expected size, incorporating uninitialised heap memory into the output pixel data. An attacker can craft a malicious EXR file that, when decoded under default settings, leaks sensitive heap memory contents through the rendered pixel output.
Overview
OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
Advisory
Affected versions of the openexr package are vulnerable to Information Disclosure due to the undo_pxr24_impl() function in internal_pxr24.c ignoring the actual decompressed size returned by exr_uncompress_buffer() and instead reading from the scratch buffer based on the header-derived expected size, combined with exr_uncompress_buffer() in compression.c treating LIBDEFLATE_SHORT_OUTPUT as a successful result rather than an error. When a crafted PXR24 EXR file contains a valid but truncated zlib stream, the decompressor writes fewer bytes than expected to the scratch buffer while the subsequent byte-plane reconstruction loop reads the full expected size, incorporating uninitialised heap memory into the output pixel data. An attacker can craft a malicious EXR file that, when decoded under default settings, leaks sensitive heap memory contents through the rendered pixel output.
Affected Package
Also affects
---
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260403-56831/CVE-2026-34543
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34543
- https://data.safetycli.com/changelogs/openexr/
- https://github.com/advisories/GHSA-vc68-257w-m432
- https://pypi.org/project/openexr
- https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432
- https://nvd.nist.gov/vuln/detail/CVE-2026-34543
- https://github.com/AcademySoftwareFoundation/openexr/commit/5f6d0aaa9e43802917af7db90f181e88e083d3b8
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8
- https://github.com/advisories/GHSA-vc68-257w-m432
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more