2454254 – CVE-2026-34545 usd: OpenEXR: Remote code execution via crafted EXR files [fedora-all]

Bug 2454254 - CVE-2026-34545 usd: OpenEXR: Remote code execution via crafted EXR files [fedora-all]

Summary: CVE-2026-34545 usd: OpenEXR: Remote code execution via crafted EXR files [fed...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	usd
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Luya Tshimbalanga
QA Contact:
Docs Contact:
URL:
Whiteboard:	{"flaws": ["c2a5070d-0fe0-4376-bb94-9...
Depends On:
Blocks:	CVE-2026-34545
TreeView+	depends on / blocked

Reported:	2026-04-02 08:29 UTC by Sandipan Roy
Modified:	2026-04-05 18:25 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2026-04-05 18:25:51 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sandipan Roy 2026-04-02 08:29:14 UTC

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Ben Beasley 2026-04-05 18:25:51 UTC

According to https://www.cve.org/CVERecord?id=CVE-2026-34545, the vulnerability existed, and was fixed by https://github.com/AcademySoftwareFoundation/openexr/commit/3827998f5c041d6a94c6af24bbb363daa669e4b3, in the ht_undo_impl function. No function of that name is present in the OpenEXR subset that is bundled in OpenUSD, and searching for snippets of context surrounding the changes in the fix doesn’t turn up any evidence that related code, even after refactoring, might be present in OpenUSD. Therefore, I conclude that the usd package appears to be unaffected.

Note You need to log in before you can comment on or make changes to this bug.