SB2026041539 - Anolis OS update for OpenEXR
Published: April 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2026-34588)
The vulnerability allows a remote attacker to read and write out-of-bounds memory.
The vulnerability exists due to integer overflow in internal_exr_undo_piz() in the PIZ decoder when parsing a crafted EXR file. A remote attacker can supply a specially crafted EXR file to read and write out-of-bounds memory.
The issue occurs during PIZ decompression because signed 32-bit arithmetic can wrap while advancing the working wavelet pointer, causing the next channel to decode from an incorrect address.
2) Integer overflow (CVE-ID: CVE-2026-34589)
The vulnerability allows a remote attacker to execute arbitrary code or cause a denial of service.
The vulnerability exists due to integer overflow leading to an out-of-bounds write in the DWA lossy decoder when parsing a crafted scanline DWAA file. A remote attacker can supply a specially crafted file to execute arbitrary code or cause a denial of service.
User interaction is required to open or process the crafted file.
Remediation
Install update from vendor's website.