{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"MEDIUM" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.", "category":"general", "title":"Synopsis" } ], "publisher":null, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34589" }, { "summary":"CVE-2026-34589 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2026/csaf-openeuler-cve-2026-34589.json" }, { "summary":"openEuler-SA-2026-1844", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1844" }, { "summary":"CVE-2026-34589", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34589&packageName=OpenEXR" } ], "title":"openEuler cve CVE-2026-34589", "tracking":{ "initial_release_date":"2026-04-14T10:10:56+08:00", "revision_history":[ { "date":"2026-04-14T10:10:56+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-04-14T10:10:56+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-04-14T10:10:56+08:00", "id":"CVE-2026-34589", "version":"1.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"openEuler-22.03-LTS-SP4", "name":"openEuler-22.03-LTS-SP4" }, "name":"openEuler-22.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-3.1.5-6.oe2203sp4.aarch64.rpm", "name":"OpenEXR-3.1.5-6.oe2203sp4.aarch64.rpm" }, "name":"OpenEXR-3.1.5-6.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.aarch64.rpm", "name":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.aarch64.rpm" }, "name":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.aarch64.rpm", "name":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.aarch64.rpm" }, "name":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-devel-3.1.5-6.oe2203sp4.aarch64.rpm", "name":"OpenEXR-devel-3.1.5-6.oe2203sp4.aarch64.rpm" }, "name":"OpenEXR-devel-3.1.5-6.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-libs-3.1.5-6.oe2203sp4.aarch64.rpm", "name":"OpenEXR-libs-3.1.5-6.oe2203sp4.aarch64.rpm" }, "name":"OpenEXR-libs-3.1.5-6.oe2203sp4.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-3.1.5-6.oe2203sp4.src.rpm", "name":"OpenEXR-3.1.5-6.oe2203sp4.src.rpm" }, "name":"OpenEXR-3.1.5-6.oe2203sp4.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-3.1.5-6.oe2203sp4.x86_64.rpm", "name":"OpenEXR-3.1.5-6.oe2203sp4.x86_64.rpm" }, "name":"OpenEXR-3.1.5-6.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.x86_64.rpm", "name":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.x86_64.rpm" }, "name":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.x86_64.rpm", "name":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.x86_64.rpm" }, "name":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-devel-3.1.5-6.oe2203sp4.x86_64.rpm", "name":"OpenEXR-devel-3.1.5-6.oe2203sp4.x86_64.rpm" }, "name":"OpenEXR-devel-3.1.5-6.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"OpenEXR-libs-3.1.5-6.oe2203sp4.x86_64.rpm", "name":"OpenEXR-libs-3.1.5-6.oe2203sp4.x86_64.rpm" }, "name":"OpenEXR-libs-3.1.5-6.oe2203sp4.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-3.1.5-6.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-3.1.5-6.oe2203sp4.aarch64", "name":"OpenEXR-3.1.5-6.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-debuginfo-3.1.5-6.oe2203sp4.aarch64", "name":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-debugsource-3.1.5-6.oe2203sp4.aarch64", "name":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-devel-3.1.5-6.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-devel-3.1.5-6.oe2203sp4.aarch64", "name":"OpenEXR-devel-3.1.5-6.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-libs-3.1.5-6.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-libs-3.1.5-6.oe2203sp4.aarch64", "name":"OpenEXR-libs-3.1.5-6.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-3.1.5-6.oe2203sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-3.1.5-6.oe2203sp4.src", "name":"OpenEXR-3.1.5-6.oe2203sp4.src as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-3.1.5-6.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-3.1.5-6.oe2203sp4.x86_64", "name":"OpenEXR-3.1.5-6.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-debuginfo-3.1.5-6.oe2203sp4.x86_64", "name":"OpenEXR-debuginfo-3.1.5-6.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-debugsource-3.1.5-6.oe2203sp4.x86_64", "name":"OpenEXR-debugsource-3.1.5-6.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-devel-3.1.5-6.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-devel-3.1.5-6.oe2203sp4.x86_64", "name":"OpenEXR-devel-3.1.5-6.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"OpenEXR-libs-3.1.5-6.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:OpenEXR-libs-3.1.5-6.oe2203sp4.x86_64", "name":"OpenEXR-libs-3.1.5-6.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-34589", "notes":[ { "text":"OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":{ "$ref":"$.vulnerabilities[0].product_status.fixed" } }, "remediations":[ { "product_ids":{ "$ref":"$.vulnerabilities[0].product_status.fixed" }, "details":"OpenEXR security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1844" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.0, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":{ "$ref":"$.vulnerabilities[0].product_status.fixed" } } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-34589" } ] }