Nixpkgs security tracker

Dismissed

Permalink CVE-2026-34545

updated 2 weeks, 6 days ago by @LeSuisse Activity log

Created automatic suggestion 2 weeks, 6 days ago
@LeSuisse ignored
3 packages
- openexr_2
- openexrid-unstable
- haskellPackages.openexr-write
2 weeks, 6 days ago
@LeSuisse dismissed 2 weeks, 6 days ago

OpenEXR: integer overflow lead to OOB in HTJ2K decoder

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-ghfj-fx47-wg97 x_refsource_CONFIRM
https://github.com/AcademySoftwareFoundation/openexr/commit/3827998f5c041d6a94c6af24bbb363daa669e4b3 x_refsource_MISC
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.7 x_refsource_MISC

Affected products

openexr

==>= 3.4.0, < 3.4.7

Matching in nixpkgs

pkgs.openexr

High dynamic-range (HDR) image file format

nixos-unstable 3.3.5
- nixpkgs-unstable 3.3.5
- nixos-unstable-small 3.3.5
nixos-25.11 3.3.5
- nixos-25.11-small 3.3.5
- nixpkgs-25.11-darwin 3.3.5

Ignored packages (3)

pkgs.openexr_2

High dynamic-range (HDR) image file format

nixos-unstable 2.5.10
- nixpkgs-unstable 2.5.10
- nixos-unstable-small 2.5.10
nixos-25.11 2.5.10
- nixos-25.11-small 2.5.10
- nixpkgs-25.11-darwin 2.5.10

pkgs.openexrid-unstable

OpenEXR files able to isolate any object of a CG image with a perfect antialiazing

nixos-unstable 2017-09-17
- nixpkgs-unstable 2017-09-17
- nixos-unstable-small 2017-09-17
nixos-25.11 2017-09-17
- nixos-25.11-small 2017-09-17
- nixpkgs-25.11-darwin 2017-09-17

pkgs.haskellPackages.openexr-write

Library for writing images in OpenEXR HDR file format

nixos-unstable 0.1.0.2
- nixpkgs-unstable 0.1.0.2
- nixos-unstable-small 0.1.0.2
nixos-25.11 0.1.0.2
- nixos-25.11-small 0.1.0.2
- nixpkgs-25.11-darwin 0.1.0.2

Package maintainers

@paperdigits Mica Semrick <mica@silentumbrella.com>

Not in the range of impacted version

Suggestion detail