GHSA-VC68-257W-M432

Vulnerability from github – Published: 2026-04-03 21:50 – Updated: 2026-04-03 21:50
VLAI?
Summary
OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
Details

Summary

The PXR24 decompression function undo_pxr24_impl in OpenEXR (internal_pxr24.c) ignores the actual decompressed size (outSize) returned by exr_uncompress_buffer() and instead reads from the scratch buffer based solely on the expected size (uncompressed_size) derived from the header metadata.

Additionally, exr_uncompress_buffer() (compression.c:202) treats LIBDEFLATE_SHORT_OUTPUT (where the compressed stream decompresses to fewer bytes than expected) as a successful result rather than an error.

When these two issues are combined, an attacker can craft a PXR24 EXR file containing a valid but truncated zlib stream. As a result, the decoder reads uninitialized heap memory and incorporates it into the output pixel data.

Details

This issue occurs due to the combination of two flaws.

  1. compression.c:202–205 — LIBDEFLATE_SHORT_OUTPUT treated as success
else if (res == LIBDEFLATE_SHORT_OUTPUT)
{
    /* TODO: is this an error? */
    return EXR_ERR_SUCCESS;
}

libdeflate_zlib_decompress_ex() returns LIBDEFLATE_SHORT_OUTPUT when the compressed stream is successfully decompressed but the resulting output size is smaller than the provided output buffer size. In this case, the actual number of decompressed bytes is written to actual_out. However, the function does not treat this condition as an error and instead returns success.

  1. internal_pxr24.c:279–287 — outSize return value ignored
rstat = exr_uncompress_buffer(
    decode->context, compressed_data, comp_buf_size,
    scratch_data, scratch_size, &outSize);   // outSize = actual bytes written

if (rstat != EXR_ERR_SUCCESS) return rstat;

// outSize is never referenced afterwards.
// The loop below reads the entire scratch_data buffer based on
// uncompressed_size (the header-derived expected size).
for (int y = 0; y < decode->chunk.height; ++y) { ... }

After exr_uncompress_buffer() returns success, the code does not verify whether the actual decompressed size (outSize) matches the expected size (uncompressed_size). The subsequent byte-plane reconstruction loop reads from the scratch buffer up to uncompressed_size bytes. As a result, the region between outSize and uncompressed_size consists of uninitialized heap memory, which is then read by the decoder.

Affected component - src/lib/OpenEXRCore/internal_pxr24.c — undo_pxr24_impl() (line 261–399) - src/lib/OpenEXRCore/compression.c — exr_uncompress_buffer() (line 202–205)

PoC

Please refer to the atta poc.zip ched archive file and proceed after extracting it.

  1. git clone https://github.com/AcademySoftwareFoundation/openexr.git
  2. mv poc openexr/
  3. cd openexr
  4. docker build -f poc/Dockerfile -t pxr24-poc .
  5. docker run --rm pxr24-poc

스크린샷 2026-03-15 오후 4 38 18

Impact

  • Sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). Trigger Condition: Occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction.
Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.4.7"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "openexr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "openexr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "last_affected": "3.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "openexr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "last_affected": "3.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:50:14Z",
    "nvd_published_at": "2026-04-01T21:17:01Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe PXR24 decompression function undo_pxr24_impl in OpenEXR (internal_pxr24.c) ignores the actual decompressed size (outSize) returned by exr_uncompress_buffer() and instead reads from the scratch buffer based solely on the expected size (uncompressed_size) derived from the header metadata.\n\nAdditionally, exr_uncompress_buffer() (compression.c:202) treats LIBDEFLATE_SHORT_OUTPUT (where the compressed stream decompresses to fewer bytes than expected) as a successful result rather than an error.\n\nWhen these two issues are combined, an attacker can craft a PXR24 EXR file containing a valid but truncated zlib stream. As a result, the decoder reads uninitialized heap memory and incorporates it into the output pixel data.\n\n### Details\nThis issue occurs due to the combination of two flaws.\n\n1. compression.c:202\u2013205 \u2014 LIBDEFLATE_SHORT_OUTPUT treated as success\n```\nelse if (res == LIBDEFLATE_SHORT_OUTPUT)\n{\n    /* TODO: is this an error? */\n    return EXR_ERR_SUCCESS;\n}\n```\nlibdeflate_zlib_decompress_ex() returns LIBDEFLATE_SHORT_OUTPUT when the compressed stream is successfully decompressed but the resulting output size is smaller than the provided output buffer size. In this case, the actual number of decompressed bytes is written to actual_out. However, the function does not treat this condition as an error and instead returns success.\n\n2. internal_pxr24.c:279\u2013287 \u2014 outSize return value ignored\n```\nrstat = exr_uncompress_buffer(\n    decode-\u003econtext, compressed_data, comp_buf_size,\n    scratch_data, scratch_size, \u0026outSize);   // outSize = actual bytes written\n\nif (rstat != EXR_ERR_SUCCESS) return rstat;\n\n// outSize is never referenced afterwards.\n// The loop below reads the entire scratch_data buffer based on\n// uncompressed_size (the header-derived expected size).\nfor (int y = 0; y \u003c decode-\u003echunk.height; ++y) { ... }\n```\nAfter exr_uncompress_buffer() returns success, the code does not verify whether the actual decompressed size (outSize) matches the expected size (uncompressed_size). The subsequent byte-plane reconstruction loop reads from the scratch buffer up to uncompressed_size bytes. As a result, the region between outSize and uncompressed_size consists of uninitialized heap memory, which is then read by the decoder.\n\n**Affected component**\n- src/lib/OpenEXRCore/internal_pxr24.c \u2014 undo_pxr24_impl() (line 261\u2013399)\n- src/lib/OpenEXRCore/compression.c \u2014 exr_uncompress_buffer() (line 202\u2013205)\n\n### PoC\nPlease refer to the atta\n[poc.zip](https://github.com/user-attachments/files/26002361/poc.zip)\nched archive file and proceed after extracting it.\n\n1. git clone https://github.com/AcademySoftwareFoundation/openexr.git\n2. mv poc openexr/\n3. cd openexr\n4. docker build -f poc/Dockerfile -t pxr24-poc .\n5. docker run --rm pxr24-poc\n\n\u003cimg width=\"858\" height=\"155\" alt=\"\u1109\u1173\u110f\u1173\u1105\u1175\u11ab\u1109\u1163\u11ba 2026-03-15 \u110b\u1169\u1112\u116e 4 38 18\" src=\"https://github.com/user-attachments/assets/ded9eab6-9b92-40f7-9a0d-7b00db7e6088\" /\u003e\n\n\n### Impact\n* Sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure).\nTrigger Condition: Occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction.",
  "id": "GHSA-vc68-257w-m432",
  "modified": "2026-04-03T21:50:15Z",
  "published": "2026-04-03T21:50:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vc68-257w-m432"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34543"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/openexr/commit/5f6d0aaa9e43802917af7db90f181e88e083d3b8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AcademySoftwareFoundation/openexr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.