CVE-2026-34543

import OpenEXR import Imath import numpy as np # PoC for CVE-2026-34543: Information Disclosure via Heap Memory Leak # This script demonstrates reading a potentially malicious EXR file. # In the vulnerable version, uninitialized heap memory may be present in the pixel data. def read_exr_file(filepath): try: # Open the EXR file exr_file = OpenEXR.InputFile(filepath) header = exr_file.header() # Get window dimensions dw = header['dataWindow'] size = (dw.max.x - dw.min.x + 1, dw.max.y - dw.min.y + 1) # Read the pixel data (RGB channels) # In vulnerable versions (3.4.0 - 3.4.7), this data may contain heap leaks FLOAT = Imath.PixelType(Imath.PixelType.FLOAT) rgb_str = exr_file.pixel(Imath.Channel('R', FLOAT), Imath.Channel('G', FLOAT), Imath.Channel('B', FLOAT)) # Convert to numpy array for analysis # This step represents where the leaked information becomes accessible rgb = np.frombuffer(rgb_str, dtype=np.float32) rgb.shape = (size[1], size[0], 3) print(f"Successfully read {filepath}. Check pixel data for anomalies.") # Analyze first few pixels for potential non-image data patterns print("First pixel values:", rgb[0,0]) except Exception as e: print(f"Error processing file: {e}") # Replace 'malicious.exr' with a crafted file intended to trigger the leak # read_exr_file('malicious.exr')

{"cve": {"id": "CVE-2026-34543", "sourceIdentifier": "[email protected]", "published": "2026-04-01T21:17:01.320", "lastModified": "2026-04-07T20:16:10.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.2.7", "matchCriteriaId": "4E7AA082-2647-4AAD-9902-1E3873882A3D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.9", "matchCriteriaId": "E8321A2E-759A-4B1E-9AAF-0204791F4323"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.8", "matchCriteriaId": "088FF356-26BB-4AF4-95A4-B24485E43F02"}]}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/5f6d0aaa9e43802917af7db90f181e88e083d3b8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}