SB2026041139 - openEuler 22.03 LTS SP4 update for OpenEXR

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2026-34380)

The vulnerability allows a remote attacker to cause a denial of service and modify memory.

The vulnerability exists due to integer overflow or wraparound in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c when parsing a crafted PXR24-compressed EXR file. A remote attacker can supply a specially crafted EXR file to cause a denial of service and modify memory.

User interaction is required to open or process the crafted file, and exploitation requires a FLOAT channel using PXR24 compression.

2) Integer overflow (CVE-ID: CVE-2026-34589)

The vulnerability allows a remote attacker to execute arbitrary code or cause a denial of service.

The vulnerability exists due to integer overflow leading to an out-of-bounds write in the DWA lossy decoder when parsing a crafted scanline DWAA file. A remote attacker can supply a specially crafted file to execute arbitrary code or cause a denial of service.

User interaction is required to open or process the crafted file.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1844