CVE-2026-34543: CWE-908: Use of Uninitialized Resource in AcademySoftwareFoundation openexr
A vulnerability in AcademySoftwareFoundation's openexr versions 3. 4. 0 up to but not including 3. 4. 8 allows sensitive heap memory information to be leaked through decoded pixel data. This information disclosure occurs simply by reading a malicious EXR file with default settings, without any user interaction. The issue is due to use of uninitialized resource (CWE-908). The vulnerability has been patched in version 3. 4. 8.
AI Analysis
Technical Summary
OpenEXR, a reference implementation for the EXR image file format used in motion picture industry, contains a vulnerability (CVE-2026-34543) in versions from 3.4.0 to before 3.4.8 where uninitialized heap memory may be exposed via decoded pixel data. This results in potential information disclosure when processing a crafted malicious EXR file. The vulnerability is classified under CWE-908 (Use of Uninitialized Resource) and has a CVSS 4.0 score of 8.7, indicating high severity. The issue is resolved in version 3.4.8.
Potential Impact
An attacker can cause sensitive information from heap memory to be leaked by supplying a malicious EXR file that triggers the use of uninitialized memory during decoding. This can lead to unauthorized disclosure of potentially sensitive data contained in heap memory. No user interaction is required beyond opening or processing the malicious file. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade openexr to version 3.4.8 or later, where this vulnerability has been patched. Until the update is applied, avoid processing untrusted or unauthenticated EXR files to reduce risk of information disclosure.
CVE-2026-34543: CWE-908: Use of Uninitialized Resource in AcademySoftwareFoundation openexr
Description
A vulnerability in AcademySoftwareFoundation's openexr versions 3. 4. 0 up to but not including 3. 4. 8 allows sensitive heap memory information to be leaked through decoded pixel data. This information disclosure occurs simply by reading a malicious EXR file with default settings, without any user interaction. The issue is due to use of uninitialized resource (CWE-908). The vulnerability has been patched in version 3. 4. 8.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenEXR, a reference implementation for the EXR image file format used in motion picture industry, contains a vulnerability (CVE-2026-34543) in versions from 3.4.0 to before 3.4.8 where uninitialized heap memory may be exposed via decoded pixel data. This results in potential information disclosure when processing a crafted malicious EXR file. The vulnerability is classified under CWE-908 (Use of Uninitialized Resource) and has a CVSS 4.0 score of 8.7, indicating high severity. The issue is resolved in version 3.4.8.
Potential Impact
An attacker can cause sensitive information from heap memory to be leaked by supplying a malicious EXR file that triggers the use of uninitialized memory during decoding. This can lead to unauthorized disclosure of potentially sensitive data contained in heap memory. No user interaction is required beyond opening or processing the malicious file. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade openexr to version 3.4.8 or later, where this vulnerability has been patched. Until the update is applied, avoid processing untrusted or unauthenticated EXR files to reduce risk of information disclosure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:31:39.264Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69cd8944e6bfc5ba1dfc32ea
Added to database: 4/1/2026, 9:08:20 PM
Last enriched: 4/10/2026, 12:10:43 AM
Last updated: 5/16/2026, 11:47:57 PM
Views: 61
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.