{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openexr/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenEXR"],"_cs_severities":["high"],"_cs_tags":["openexr","memory-corruption","out-of-bounds","cve-2026-34588"],"_cs_type":"advisory","_cs_vendors":["OpenEXR"],"content_html":"\u003cp\u003eA signed 32-bit integer overflow vulnerability exists in the PIZ decoder of OpenEXR, specifically within the \u003ccode\u003einternal_exr_undo_piz()\u003c/code\u003e function. This function advances a wavelet pointer using signed 32-bit arithmetic. By crafting a malicious EXR file, attackers can cause the product of \u003ccode\u003enx\u003c/code\u003e, \u003ccode\u003eny\u003c/code\u003e, and \u003ccode\u003ewcount\u003c/code\u003e to overflow and wrap around. This leads to the subsequent channel decoding from an incorrect memory address. Given that the wavelet decode path operates in place, this vulnerability results in both out-of-bounds reads and out-of-bounds writes. This issue has been identified in OpenEXR versions 3.1.0 to 3.2.6, 3.3.0 to 3.3.8, and 3.4.0 to 3.4.8. A proof-of-concept exploit exists, and successful exploitation could lead to crashes and memory corruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim opens a specially crafted \u003ccode\u003e.exr\u003c/code\u003e file using an application that utilizes the OpenEXR library.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003einternal_exr_undo_piz()\u003c/code\u003e to decompress the image data.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003einternal_exr_undo_piz()\u003c/code\u003e, \u003ccode\u003ewavbuf\u003c/code\u003e is set to \u003ccode\u003edecode-\u0026gt;scratch_buffer_1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor each channel, the function calls \u003ccode\u003ewav_2D_decode (wavbuf + j, ...)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewavbuf\u003c/code\u003e is advanced with \u003ccode\u003ewavbuf += nx * ny * wcount;\u003c/code\u003e, where nx, ny, and wcount are attacker-controlled integers from the crafted EXR file.\u003c/li\u003e\n\u003cli\u003eThe multiplication of \u003ccode\u003enx\u003c/code\u003e, \u003ccode\u003eny\u003c/code\u003e, and \u003ccode\u003ewcount\u003c/code\u003e overflows, wrapping the \u003ccode\u003ewavbuf\u003c/code\u003e pointer to an out-of-bounds memory location.\u003c/li\u003e\n\u003cli\u003eThe next channel's wavelet decode runs on the incorrect, out-of-bounds address.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewdec14_4()\u003c/code\u003e attempts to read and write to the out-of-bounds memory location, leading to memory corruption or a crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows for arbitrary out-of-bounds read/write operations. The impact ranges from simple process crashes to memory corruption, potentially leading to arbitrary code execution. The severity depends on the allocator layout, surrounding memory protections, and the specific application using the vulnerable OpenEXR library. Exploitation may allow an attacker to overwrite program code or data, leading to a loss of confidentiality, integrity, or availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenEXR to a patched version (\u0026gt;= 3.2.7, \u0026gt;= 3.3.9, \u0026gt;= 3.4.9) to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of the \u003ccode\u003eexrcheck\u003c/code\u003e tool against potentially malicious \u003ccode\u003e.exr\u003c/code\u003e files, especially those originating from untrusted sources.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for downloads of \u003ccode\u003e.exr\u003c/code\u003e files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement the provided fix recommendations, such as validating the \u003ccode\u003enx * ny * wcount\u003c/code\u003e calculation and buffer sizes, within the OpenEXR library where feasible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-openexr-overflow/","summary":"A crafted OpenEXR file can trigger out-of-bounds memory access during PIZ decompression due to a signed 32-bit overflow in the `internal_exr_undo_piz()` function, leading to out-of-bounds reads and writes and potentially causing process crashes or memory corruption; affects OpenEXR versions 3.1.0 to 3.2.6, 3.3.0 to 3.3.8, and 3.4.0 to 3.4.8.","title":"OpenEXR PIZ Decoder Integer Overflow Leads to OOB Read/Write","url":"https://feed.craftedsignal.io/briefs/2024-01-02-openexr-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenEXR","version":"https://jsonfeed.org/version/1.1"}