OpenEXR DWA Lossy Decoder Heap Out-of-Bounds Write Vulnerability

hello@craftedsignal.io — Thu, 09 Apr 2026 12:00:00 +0000

A heap out-of-bounds write vulnerability has been identified in the DWA lossy decoder of OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8. The vulnerability stems from an integer overflow in the calculation of per-component block pointers within the internal_dwa_decoder.h file. When processing a DWAA compressed image with a large width, the multiplication of numBlocksX * 64 overflows a signed 32-bit integer, resulting in a wrapped pointer. This wrapped pointer is then used in subsequent decoder operations, leading to out-of-bounds memory access during the lossy DCT execution path. This can be triggered using the exrcheck tool, impacting systems where OpenEXR is used to process image files.

Attack Chain

An attacker crafts a malicious OpenEXR image file with DWAA compression and a large image width.
The victim uses the exrcheck tool or an application linked against a vulnerable OpenEXR library to process the image.
The InputFile or ScanLineInputFile class initiates the image decoding process.
The exr_decoding_run function is called, which in turn calls exr_uncompress_chunk.
exr_uncompress_chunk calls internal_exr_undo_dwaa to decompress the DWAA data.
internal_exr_undo_dwaa invokes DwaCompressor_uncompress.
Inside DwaCompressor_uncompress, LossyDctDecoder_execute is called, triggering the integer overflow when calculating rowBlock pointers in internal_dwa_decoder.h.
LossyDctDecoder_execute attempts to write data to an out-of-bounds memory location, resulting in a crash (SEGV).

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition due to a write-side crash, as observed in the LossyDctDecoder_execute function. The vulnerability affects applications that utilize the OpenEXR library to process DWAA compressed images. While the source doesn’t specify the number of victims or targeted sectors, any system processing untrusted OpenEXR images with affected versions is at risk. This could impact image editing software, rendering pipelines, and other applications that rely on OpenEXR.

Recommendation

Upgrade OpenEXR to versions 3.2.7, 3.3.9, or 3.4.9 or later to patch CVE-2026-34589.
Deploy the Sigma rule “Detect exrcheck crash” to identify instances where the exrcheck tool crashes due to this vulnerability.
Monitor systems for abnormal program termination signals (e.g., SEGV) originating from OpenEXR libraries during image processing, as these may indicate exploitation attempts.
Block downloads from the URL https://github.com/user-attachments/files/26318786/dwa_scanline_exrcheck.zip to prevent users from downloading a known malicious test case.

OpenEXR Heap Information Disclosure in PXR24 Decompression (CVE-2026-34543)

hello@craftedsignal.io — Sat, 04 Apr 2026 12:00:00 +0000

A heap information disclosure vulnerability exists in OpenEXR’s PXR24 decompression functionality, specifically within the undo_pxr24_impl function in internal_pxr24.c and exr_uncompress_buffer() in compression.c. This vulnerability, identified as CVE-2026-34543, stems from the decompression function ignoring the actual decompressed size returned by exr_uncompress_buffer(). Instead, it relies on the expected size derived from the EXR file’s header metadata. The exr_uncompress_buffer() also treats LIBDEFLATE_SHORT_OUTPUT as a successful result. An attacker can exploit this by crafting a malicious PXR24 EXR file containing a truncated zlib stream. This leads to the decoder reading uninitialized heap memory and incorporating it into the output pixel data, potentially exposing sensitive information. The vulnerability affects OpenEXR versions 3.2.0 through 3.2.6, 3.3.0 through 3.3.8, and 3.4.0 through 3.4.7.

Attack Chain

The attacker crafts a malicious PXR24 EXR file with a truncated zlib stream.
The victim application uses OpenEXR to open and process the malicious EXR file.
The undo_pxr24_impl function is called to decompress the PXR24 compressed data.
The exr_uncompress_buffer function decompresses the truncated zlib stream, returning LIBDEFLATE_SHORT_OUTPUT, which is treated as a success.
undo_pxr24_impl ignores the actual decompressed size (outSize) and reads from the scratch buffer based on the expected size (uncompressed_size) from the header.
The byte-plane reconstruction loop reads past the valid decompressed data into uninitialized heap memory within the scratch buffer.
The uninitialized heap memory is incorporated into the output pixel data.
The victim application processes the pixel data, potentially leaking sensitive information from the heap.

Impact

Successful exploitation of this vulnerability results in a heap information disclosure. Sensitive information from the heap memory may be leaked through the decoded pixel data. The vulnerability is triggered simply by opening a malicious EXR file, requiring no user interaction beyond processing the image. The vulnerable versions of OpenEXR are commonly used in image processing applications, 3D rendering software, and other tools that handle EXR image files. This can lead to data breaches, exposure of confidential information, and potential further compromise of affected systems.

Recommendation

Apply the patch or upgrade to a fixed version of OpenEXR to address CVE-2026-34543.
Monitor network traffic and file system activity for attempts to deliver or access suspicious EXR files from untrusted sources.
Implement input validation and sanitization measures to prevent the processing of potentially malicious EXR files (reference CVE-2026-34543).
Deploy the Sigma rule provided below to detect processes decompressing EXR files that may exhibit anomalous behavior indicative of exploitation.

Openexr — CraftedSignal Threat Feed

OpenEXR DWA Lossy Decoder Heap Out-of-Bounds Write Vulnerability

Attack Chain

Impact

Recommendation

OpenEXR Heap Information Disclosure in PXR24 Decompression (CVE-2026-34543)

Attack Chain

Impact

Recommendation