PyPI: openexr
CVE-2026-34589
Safety vulnerability ID: SFTY-20260408-96870
Safety legacy ID: pyup.io-92198
Affected versions of the OpenEXR package are vulnerable to Out-of-bounds Write due to a signed 32-bit integer overflow in the DWA lossy decoder’s per-component block pointer construction within internal_dwa_decoder.h. The expression numBlocksX * 64, computed as signed int, overflows for sufficiently large image widths, causing rowBlock pointers to wrap and point outside the allocated rowBlockHandle buffer, so that LossyDctDecoder_execute() subsequently writes to out-of-bounds heap memory. An attacker can supply a crafted DWAA-compressed EXR file to trigger heap memory corruption during decompression, potentially leading to process crash or further exploitation.
Overview
OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
Advisory
Affected versions of the OpenEXR package are vulnerable to Out-of-bounds Write due to a signed 32-bit integer overflow in the DWA lossy decoder’s per-component block pointer construction within internal_dwa_decoder.h. The expression numBlocksX * 64, computed as signed int, overflows for sufficiently large image widths, causing rowBlock pointers to wrap and point outside the allocated rowBlockHandle buffer, so that LossyDctDecoder_execute() subsequently writes to out-of-bounds heap memory. An attacker can supply a crafted DWAA-compressed EXR file to trigger heap memory corruption during decompression, potentially leading to process crash or further exploitation.
Affected Package
Also affects
---
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260408-96870/CVE-2026-34589
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34589
- https://data.safetycli.com/changelogs/openexr/
- https://github.com/advisories/GHSA-p8xc-w3q4-h64x
- https://pypi.org/project/openexr
- https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x
- https://nvd.nist.gov/vuln/detail/CVE-2026-34589
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9
- https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9
- https://github.com/advisories/GHSA-p8xc-w3q4-h64x
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more