Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
According to https://www.cve.org/CVERecord?id=CVE-2026-34543, the vulnerability existed, and was fixed by https://github.com/AcademySoftwareFoundation/openexr/commit/5f6d0aaa9e43802917af7db90f181e88e083d3b8, in the exr_uncompress_buffer and undo_pxr24_impl functions. These are present in OpenUSD. The CVE report claims the vulnerability only existed from OpenEXR 3.4.0 to 3.4.8. Commit https://github.com/PixarAnimationStudios/OpenUSD/commit/8d2d14db075ac1bc492ef57ab9d692f1e1fb044a claimed to update the bundled OpenEXR from 3.2.0 to 3.4.0, but as noted in an ongoing discussion in https://github.com/PixarAnimationStudios/OpenUSD/issues/2935, the source code doesn’t seem to support that. Thus, if the vulnerability was truly introduced in 3.4.0, then the usd package is probably not affected, since the source code looks much more like 3.2.0. If it was already present, and the reporter only investigated the current branch, perhaps we could be affected after all. As I noted in https://github.com/PixarAnimationStudios/OpenUSD/issues/2935#issuecomment-4191996687, there are important differences between OpenEXR 3.2.0 and 3.4.0 that mean we can’t blindly backport the fix, if it’s required, without developing a full understanding of the surrounding control flow. I’m not planning to attempt that. Perhaps we’ll remember to revisit this someday after the bundled OpenEXR code more closely resembles 3.4.0.