CVE-2026-34588

import struct # Proof of Concept for CVE-2026-34588 # This script demonstrates the integer overflow logic triggering the vulnerability. def simulate_overflow(nx, ny, wcount): # Simulate the vulnerable logic in internal_exr_undo_piz product = nx * ny * wcount # Simulate 32-bit signed integer overflow wrap-around # If product exceeds 2^31 - 1, it wraps to negative max_int32 = 2**31 - 1 if product > max_int32: wrapped = product - 2**32 print(f"[+] Integer Overflow Detected!") print(f" Calculated Product: {product}") print(f" Wrapped Value (32-bit signed): {wrapped}") return True return False # Input values that would trigger the overflow in a crafted EXR file # For example, large width (nx) and height (ny) nx = 70000 ny = 70000 wcount = 1 if simulate_overflow(nx, ny, wcount): print("[*] Vulnerability condition confirmed: Integer overflow leads to invalid pointer.") print("[*] Opening a crafted EXR file with these dimensions would crash the application.")

{"cve": {"id": "CVE-2026-34588", "sourceIdentifier": "[email protected]", "published": "2026-04-06T16:16:35.893", "lastModified": "2026-04-07T19:01:21.643", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1.0", "versionEndExcluding": "3.2.7", "matchCriteriaId": "38266E1F-A55B-4F3C-8A8A-BDD712658B97"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.9", "matchCriteriaId": "E8321A2E-759A-4B1E-9AAF-0204791F4323"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.9", "matchCriteriaId": "94F2D271-636B-4E9E-A04B-40E635A59117"}]}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}