{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-34543/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-34543"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openexr","heap-disclosure","cve-2026-34543"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA heap information disclosure vulnerability exists in OpenEXR\u0026rsquo;s PXR24 decompression functionality, specifically within the \u003ccode\u003eundo_pxr24_impl\u003c/code\u003e function in \u003ccode\u003einternal_pxr24.c\u003c/code\u003e and \u003ccode\u003eexr_uncompress_buffer()\u003c/code\u003e in \u003ccode\u003ecompression.c\u003c/code\u003e. This vulnerability, identified as CVE-2026-34543, stems from the decompression function ignoring the actual decompressed size returned by \u003ccode\u003eexr_uncompress_buffer()\u003c/code\u003e. Instead, it relies on the expected size derived from the EXR file\u0026rsquo;s header metadata. The \u003ccode\u003eexr_uncompress_buffer()\u003c/code\u003e also treats \u003ccode\u003eLIBDEFLATE_SHORT_OUTPUT\u003c/code\u003e as a successful result. An attacker can exploit this by crafting a malicious PXR24 EXR file containing a truncated zlib stream. This leads to the decoder reading uninitialized heap memory and incorporating it into the output pixel data, potentially exposing sensitive information. The vulnerability affects OpenEXR versions 3.2.0 through 3.2.6, 3.3.0 through 3.3.8, and 3.4.0 through 3.4.7.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious PXR24 EXR file with a truncated zlib stream.\u003c/li\u003e\n\u003cli\u003eThe victim application uses OpenEXR to open and process the malicious EXR file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eundo_pxr24_impl\u003c/code\u003e function is called to decompress the PXR24 compressed data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexr_uncompress_buffer\u003c/code\u003e function decompresses the truncated zlib stream, returning \u003ccode\u003eLIBDEFLATE_SHORT_OUTPUT\u003c/code\u003e, which is treated as a success.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eundo_pxr24_impl\u003c/code\u003e ignores the actual decompressed size (\u003ccode\u003eoutSize\u003c/code\u003e) and reads from the scratch buffer based on the expected size (\u003ccode\u003euncompressed_size\u003c/code\u003e) from the header.\u003c/li\u003e\n\u003cli\u003eThe byte-plane reconstruction loop reads past the valid decompressed data into uninitialized heap memory within the scratch buffer.\u003c/li\u003e\n\u003cli\u003eThe uninitialized heap memory is incorporated into the output pixel data.\u003c/li\u003e\n\u003cli\u003eThe victim application processes the pixel data, potentially leaking sensitive information from the heap.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a heap information disclosure. Sensitive information from the heap memory may be leaked through the decoded pixel data. The vulnerability is triggered simply by opening a malicious EXR file, requiring no user interaction beyond processing the image. The vulnerable versions of OpenEXR are commonly used in image processing applications, 3D rendering software, and other tools that handle EXR image files. This can lead to data breaches, exposure of confidential information, and potential further compromise of affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a fixed version of OpenEXR to address CVE-2026-34543.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic and file system activity for attempts to deliver or access suspicious EXR files from untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent the processing of potentially malicious EXR files (reference CVE-2026-34543).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect processes decompressing EXR files that may exhibit anomalous behavior indicative of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-openexr-heap-disclosure/","summary":"OpenEXR is vulnerable to a heap information disclosure in PXR24 decompression, where the undo_pxr24_impl function ignores the actual decompressed size, potentially leading to the exposure of uninitialized heap memory when processing crafted EXR files.","title":"OpenEXR Heap Information Disclosure in PXR24 Decompression (CVE-2026-34543)","url":"https://feed.craftedsignal.io/briefs/2026-04-openexr-heap-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-34543","version":"https://jsonfeed.org/version/1.1"}