CVE-2026-34543 — Use of Uninitialized Resource in Openexr
CWE-908 — Use of Uninitialized ResourceCWE-824 — Access of Uninitialized Pointer8 documents7 sources
Severity
8.7HIGHNVD
EPSS
0.0%
top 88.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 1
Latest updateApr 3
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Packages4 packages
Patches
🔴Vulnerability Details
3GHSA▶
OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)↗2026-04-03
OSV▶
OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)↗2026-04-03
OSV▶
CVE-2026-34543: OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry↗2026-04-01
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
1Bugzilla
▶