2454144 – (CVE-2026-34543) CVE-2026-34543 OpenEXR: OpenEXR: Information disclosure via malicious EXR file

Bug 2454144 (CVE-2026-34543) - CVE-2026-34543 OpenEXR: OpenEXR: Information disclosure via malicious EXR file

Summary: CVE-2026-34543 OpenEXR: OpenEXR: Information disclosure via malicious EXR file

Keywords:
Status:	NEW
Alias:	CVE-2026-34543
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2454223 2454224 2454234 2454236
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-01 22:02 UTC by OSIDB Bzimport
Modified:	2026-04-02 06:13 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-01 22:02:56 UTC

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.

Note You need to log in before you can comment on or make changes to this bug.