What Happened

A critical vulnerability identified as CVE-2026-34379 has been discovered in OpenEXR, a widely used image file format in the motion picture industry. OpenEXR versions from 3.2.0 up to but not including 3.2.7, 3.3.9, and 3.4.9 are affected. This vulnerability was reported in the LossyDctDecoder_execute() function, which is part of the EXR file's reference implementation for handling images. The issue occurs when decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel. This vulnerability poses a significant risk to applications built on affected versions, particularly those running on architectures like ARM and RISC-V, where alignment is strictly enforced.

The discovery of this vulnerability impacts numerous industries relying on OpenEXR, especially in film and animation studios where EXR format is prevalent. On September 29, 2026, this vulnerability was publicly detailed, prompting immediate action from organizations utilizing the affected software versions.

Technical Details

The primary flaw is a misaligned memory write in the LossyDctDecoder_execute() function, located in src/lib/OpenEXRCore/internal_dwa_decoder.h at line 749. During the decoding process, an in-place conversion from HALF to FLOAT type is performed by casting an unaligned uint8_t * row pointer to a float * and writing through it. This operation assumes aligned memory access, which does not hold on all architectures.

On systems enforcing strict memory alignment, such as ARM and RISC-V, this results in immediate application crashes. On x86 architectures, although the operation might not lead to immediate crashes, it can be exploited through compiler optimizations that presume aligned access. This situation leaves room for undefined behavior under the C standard. The CVSS score of 7.1 reflects the potential for exploitation, with a focus on environments where unaligned memory operations are problematic.

Impact

The vulnerability poses a threat to any application utilizing the OpenEXR library for image processing on the affected systems. In the film industry, where OpenEXR is often leveraged for digital intermediate and visual effects, this could disrupt production workflows or lead to corruption of image data if exploited. The risk extends to all users who have not upgraded to the safe versions.

The scale of this vulnerability is significant given OpenEXR's extensive use across various platforms. It underlines the importance of ensuring that software dependencies are regularly updated, especially in high-performance computing environments relying on reliable image processing capabilities.

What To Do

  • Upgrade to OpenEXR version 3.2.7, 3.3.9, or 3.4.9 immediately if your current version falls within the affected range.
  • Review all systems using OpenEXR to ensure they are running a patched version.
  • Deploy intrusion detection systems to monitor for suspicious activity indicative of exploitation attempts.
  • For developers, ensure proper memory handling and alignment practices in codebase leveraging OpenEXR.
  • Consider using different architectures or systems that better handle unaligned memory writes if immediate upgrading is not feasible.

Promptly addressing this vulnerability through updates and monitoring will help maintain the integrity of systems relying on the OpenEXR format, shielding them from potential crashes or exploits. Restrict access and review logs to verify no pre-existing exploitation has occurred.