{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-34589/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":5,"id":"CVE-2026-34589"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openexr","heap-overflow","dwaa","cve-2026-34589"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA heap out-of-bounds write vulnerability has been identified in the DWA lossy decoder of OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8. The vulnerability stems from an integer overflow in the calculation of per-component block pointers within the \u003ccode\u003einternal_dwa_decoder.h\u003c/code\u003e file. When processing a DWAA compressed image with a large width, the multiplication of \u003ccode\u003enumBlocksX * 64\u003c/code\u003e overflows a signed 32-bit integer, resulting in a wrapped pointer. This wrapped pointer is then used in subsequent decoder operations, leading to out-of-bounds memory access during the lossy DCT execution path. This can be triggered using the \u003ccode\u003eexrcheck\u003c/code\u003e tool, impacting systems where OpenEXR is used to process image files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OpenEXR image file with DWAA compression and a large image width.\u003c/li\u003e\n\u003cli\u003eThe victim uses the \u003ccode\u003eexrcheck\u003c/code\u003e tool or an application linked against a vulnerable OpenEXR library to process the image.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInputFile\u003c/code\u003e or \u003ccode\u003eScanLineInputFile\u003c/code\u003e class initiates the image decoding process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexr_decoding_run\u003c/code\u003e function is called, which in turn calls \u003ccode\u003eexr_uncompress_chunk\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eexr_uncompress_chunk\u003c/code\u003e calls \u003ccode\u003einternal_exr_undo_dwaa\u003c/code\u003e to decompress the DWAA data.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003einternal_exr_undo_dwaa\u003c/code\u003e invokes \u003ccode\u003eDwaCompressor_uncompress\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eDwaCompressor_uncompress\u003c/code\u003e, \u003ccode\u003eLossyDctDecoder_execute\u003c/code\u003e is called, triggering the integer overflow when calculating \u003ccode\u003erowBlock\u003c/code\u003e pointers in \u003ccode\u003einternal_dwa_decoder.h\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLossyDctDecoder_execute\u003c/code\u003e attempts to write data to an out-of-bounds memory location, resulting in a crash (SEGV).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition due to a write-side crash, as observed in the \u003ccode\u003eLossyDctDecoder_execute\u003c/code\u003e function. The vulnerability affects applications that utilize the OpenEXR library to process DWAA compressed images. While the source doesn\u0026rsquo;t specify the number of victims or targeted sectors, any system processing untrusted OpenEXR images with affected versions is at risk. This could impact image editing software, rendering pipelines, and other applications that rely on OpenEXR.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenEXR to versions 3.2.7, 3.3.9, or 3.4.9 or later to patch CVE-2026-34589.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect exrcheck crash\u0026rdquo; to identify instances where the \u003ccode\u003eexrcheck\u003c/code\u003e tool crashes due to this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor systems for abnormal program termination signals (e.g., SEGV) originating from OpenEXR libraries during image processing, as these may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eBlock downloads from the URL \u003ccode\u003ehttps://github.com/user-attachments/files/26318786/dwa_scanline_exrcheck.zip\u003c/code\u003e to prevent users from downloading a known malicious test case.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T12:00:00Z","date_published":"2026-04-09T12:00:00Z","id":"/briefs/2026-04-openexr-dwa-oob-write/","summary":"A heap out-of-bounds write vulnerability exists in OpenEXR's DWA lossy decoder due to integer overflow during block pointer calculation, triggered via crafted DWAA files, leading to crashes during DCT execution.","title":"OpenEXR DWA Lossy Decoder Heap Out-of-Bounds Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openexr-dwa-oob-write/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-34589","version":"https://jsonfeed.org/version/1.1"}