A critical vulnerability (CVE-2026-34588, CVSS 7.8 HIGH) in OpenEXR allows arbitrary code execution and information disclosure via a crafted EXR file. Affected versions are openexr 3.1.0 through 3.1.x, 3.3.0 through 3.3.8, and 3.4.0 through 3.4.8. The fix requires upgrading to version 3.2.7, 3.3.9, or 3.4.9, respectively.
Red Hat Product Errata RHSA-2026:15888 - Security Advisory Issued: 2026-05-11 Updated: 2026-05-11 RHSA-2026:15888 - Security Advisory Overview Updated Packages Synopsis Important: openexr security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for openexr is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format. This package containes the binaries for OpenEXR. Security Fix(es): OpenEXR: OpenEXR: Arbitrary code execution and information disclosure via crafted EXR file (CVE-2026-34588) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for x86_64 10 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x Fixes BZ - 2455408 - CVE-2026-34588 OpenEXR: OpenEXR: Arbitrary code execution and information disclosure via crafted EXR file CVEs CVE-2026-34588 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM openexr-3.1.10-8.el10_1.2.src.rpm SHA-256: 0a8551598a1fac78303b2016b6421192c4b35e9400a50825a810f78021fabe6f x86_64 openexr-3.1.10-8.el10_1.2.x86_64.rpm SHA-256: 237db1b9847a0f45deee9d7f7e4e4856c410d6db653690830125bef7806d21ec openexr-debuginfo-3.1.10-8.el10_1.2.x86_64.rpm SHA-256: 5363a4de24541c6f40b74ea814a6bf21fafbfc28714e88a141251030e1cbb627 openexr-debugsource-3.1.10-8.el10_1.2.x86_64.rpm SHA-256: 84320ed4c0f1d55a8f8a4c83014404568a73670c0fc04df1081eeb7fd18fe60d openexr-libs-3.1.10-8.el10_1.2.x86_64.rpm SHA-256: c59a0658601fb6986911320ea8c55f1351158fdcd58071f39a0333dcaad7285f openexr-libs-debuginfo-3.1.10-8.el10_1.2.x86_64.rpm SHA-256: 00c48179208a4cabe57b038c754feed5684d795765f2ecc377f80a3b73cc5205 Red Hat Enterprise Linux for IBM z Systems 10 SRPM openexr-3.1.10-8.el10_1.2.src.rpm SHA-256: 0a8551598a1fac78303b2016b6421192c4b35e9400a50825a810f78021fabe6f s390x openexr-3.1.10-8.el10_1.2.s390x.rpm SHA-256: 2e681d405416fa840783b801cfbdab040a104a3f7f282e133be5bda12b8a697e openexr-debuginfo-3.1.10-8.el10_1.2.s390x.rpm SHA-256: 78092b8cf19a824bbe4a2f0ed8d6d8d21a1671cf6d985d83ce6f853ffdbcdf08 openexr-debugsource-3.1.10-8.el10_1.2.s390x.rpm SHA-256: b190f95c00daadd6c7db253d4b70a25c8e5f34edcf29c35ee3923413af4d46e8 openexr-libs-3.1.10-8.el10_1.2.s390x.rpm SHA-256: ecdee8ee9948e4d218d05afa0bf5b9f1085b7610091fd47ca84a428d0aead732 openexr-libs-debuginfo-3.1.10-8.el10_1.2.s390x.rpm SHA-256: 54be6ca5bcf220fde91ad6d55db37f5b524afca52b37ccf516ca101299ef1f68 Red Hat Enterprise Linux for Power, little endian 10 SRPM openexr-3.1.10-8.el10_1.2.src.rpm SHA-256: 0a8551598a1fac78303b2016b6421192c4b35e9400a50825a810f78021fabe6f ppc64le openexr-3.1.10-8.el10_1.2.ppc64le.rpm SHA-256: 750108998ab5c32ca2f457322870b6682442b5f224a146a72c669cfe1388fc01 openexr-debuginfo-3.1.10-8.el10_1.2.ppc64le.rpm SHA-256: ae3f777fd47bb4fb5686c0eaa0db18d4b52cd5562a09946e23ece7d439d6dab6 openexr-debugsource-3.1.10-8.el10_1.2.ppc64le.rpm SHA-256: 577078008c9175d4244454d1b8094d7df0cb3ce0527a22c0ed27d96f7b2eb1cb openexr-libs-3.1.10-8.el10_1.2.ppc64le.rpm SHA-256: 15a5b23593f98d60be75b91570bd0f1c5b359cbef305a29145498be2e3664aac openexr-libs-debuginfo-3.1.10-8.el10_1.2.ppc64le.rpm SHA-256: 02cef1e8957aa216bfcf466488e7a202aae0104b10e40e0128129b87a7c2683a Red Hat Enterprise Linux for ARM 64 10 SRPM openexr-3.1.10-8.el10_1.2.src.rpm SHA-256: 0a8551598a1fac78303b2016b6421192c4b35e9400a50825a810f78021fabe6f aarch64 openexr-3.1.10-8.el10_1.2.aarch64.rpm SHA-256: 1043777718881d305d8c6dfcf418baa69c5c1e135a53bdef93b817c3715db524 openexr-debuginfo-3.1.10-8.el10_1.2.aarch64.rpm SHA-256: 98fb6755a639dbdbad44ef8bddd1caf2f1f1f6fd872f89d228ed54df80fcf2cb openexr-debugsource-3.1.10-8.el10_1.2.aarch64.rpm SHA-256: 90c74df7084d50c0857907e9eef5b77652a02146d534b806fe715601207cdaa3 openexr-libs-3.1.10-8.el10_1.2.aarch64.rpm SHA-256: f08906b396fc8c762c48ff85681fc1ad2cfdba7793f68da8ff64c72a1bd1dfca openexr-libs-debuginfo-3.1.10-8.el10_1.2.aarch64.rpm SHA-256: 99b4fb059476b85124bf0afd6a4ffafd76c49ef1e1e87140915dc758d9cd651c Red Hat CodeReady Linux Builder for x86_64 10 SRPM x86_64 openexr-debuginfo-3.1.10-8.el10_1.2.x86_64.rpm SHA-256: 5363a4de24541c6f40b74ea814a6bf21fafbfc28714e88a141251030e1cbb627 openexr-debugsource-3.1.10-8.el10_1.2.x86_64.rpm SHA-256: 84320ed4c0f1d55a8f8a4c83014404568a73670c0fc04df1081eeb7fd18fe60d openexr-devel-3.1.10-8.el10_1.2.x86_64.rpm SHA-256: 8a291b54dd23cf8a40271cb0a0c76429d93a5cc2c45ddf2af8bf8ebce5d23ac8 openexr-libs-debuginfo-3.1.10-8.el10_1.2.x86_64.rpm SHA-256: 00c48179208a4cabe57b038c754feed5684d795765f2ecc377f80a3b73cc5205 Red Hat CodeReady Linux Builder for Power, little endian 10 SRPM ppc64le openexr-debuginfo-3.1.10-8.el10_1.2.ppc64le.rpm SHA-256: ae3f777fd47bb4fb5686c0eaa0db18d4b52cd5562a09946e23ece7d439d6dab6 openexr-debugsource-3.1.10-8.el10_1.2.ppc64le.rpm SHA-256: 577078008c9175d4244454d1b8094d7df0cb3ce0527a22c0ed27d96f7b2eb1cb openexr-devel-3.1.10-8.el10_1.2.ppc64le.rpm SHA-256: 29908ff8a93ee04b5619ccb704289ac11486273257a5609417a190bcd4d96a40 openexr-libs-debuginfo-3.1.10-8.el10_1.2.ppc64le.rpm SHA-256: 02cef1e8957aa216bfcf466488e7a202aae0104b10e40e0128129b87a7c2683a Red Hat CodeReady Linux Builder for ARM 64 10 SRPM aarch64 openexr-debuginfo-3.1.10-8.el10_1.2.aarch64.rpm SHA-256: 98fb6755a639dbdbad44ef8bddd1caf2f1f1f6fd872f89d228ed54df80fcf2cb openexr-debugsource-3.1.10-8.el10_1.2.aarch64.rpm SHA-256: 90c74df7084d50c0857907e9eef5b77652a02146d534b806fe715601207cdaa3 openexr-devel-3.1.10-8.el10_1.2.aarch64.rpm SHA-256: 13e98d1fc812435dfbd3db87ad8ba402a7d36bc1d071bee31d0f970b928b4b64 openexr-libs-debuginfo-3.1.10-8.el10_1.2.aarch64.rpm SHA-256: 99b4fb059476b85124bf0afd6a4ffafd76c49ef1e1e87140915dc758d9cd651c Red Hat CodeReady Linux Builder for IBM z Systems 10 SRPM s390x openexr-debuginfo-3.1.10-8.el10_1.2.s390x.rpm SHA-256: 78092b8cf19a824bbe4a2f0ed8d6d8d21a1671cf6d985d83ce6f853ffdbcdf08 openexr-debugsource-3.1.10-8.el10_1.2.s390x.rpm SHA-256: b190f95c00daadd6c7db253d4b70a25c8e5f34edcf29c35ee3923413af4d46e8 openexr-devel-3.1.10-8.el10_1.2.s390x.rpm SHA-256: 5a38451c28882fad7149f35ffe3b6d3755937e8f3e00369cb91ebccf3e62cde1 openexr-libs-debuginfo-3.1.10-8.el10_1.2.s390x.rpm SHA-256: 54be6ca5bcf220fde91ad6d55db37f5b524afca52b37ccf516ca101299ef1f68 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .