CVE-2026-34543

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/AcademySoftwareFoundation/openexr/commit/5f6d0aaa9e43802917af7db90f181e88e083d3b8	Patch
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8	Product Release Notes
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432	Exploit Vendor Advisory
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openexr:openexr::::::::
	cpe:2.3:a:openexr:openexr::::::::
	cpe:2.3:a:openexr:openexr::::::::

History

07 Apr 2026, 20:16

Type	Values Removed	Values Added
References	~~() https://github.com/AcademySoftwareFoundation/openexr/commit/5f6d0aaa9e43802917af7db90f181e88e083d3b8 -~~	() https://github.com/AcademySoftwareFoundation/openexr/commit/5f6d0aaa9e43802917af7db90f181e88e083d3b8 - Patch
References	~~() https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8 -~~	() https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8 - Product, Release Notes
References	~~() https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432 -~~	() https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:openexr:openexr::::::::
First Time		Openexr Openexr openexr

02 Apr 2026, 14:16

Type	Values Removed	Values Added
References	~~() https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432 -~~	() https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432 -

01 Apr 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-01 21:17

Updated : 2026-04-07 20:16

NVD link : CVE-2026-34543

Mitre link : CVE-2026-34543

CVE.ORG link : CVE-2026-34543

JSON object : View

Products Affected

openexr

openexr

CWE

CWE-908

Use of Uninitialized Resource

7.5 /10