Amazon Linux 2023 Security Advisory: ALAS2023-2026-1612
Advisory Released Date: 2026-04-30
Advisory Updated Date: 2026-04-30
FAQs regarding Amazon Linux ALAS/CVE Severity
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a signed integer overflow in generic_unpack(). By setting dataWindow.min.x to a large negative value, OpenEXRCore computes an enormous image width, which is later used in a signed integer multiplication that overflows, causing the process to terminate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9. (CVE-2026-34378)
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. (CVE-2026-34380)
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. (CVE-2026-34588)
Affected Packages:
openexr
Issue Correction:
Run dnf update openexr --releasever 2023.11.20260427 or dnf update --advisory ALAS2023-2026-1612 --releasever 2023.11.20260427 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
openexr-libs-debuginfo-3.1.5-1.amzn2023.0.9.aarch64
openexr-3.1.5-1.amzn2023.0.9.aarch64
openexr-debuginfo-3.1.5-1.amzn2023.0.9.aarch64
openexr-libs-3.1.5-1.amzn2023.0.9.aarch64
openexr-devel-3.1.5-1.amzn2023.0.9.aarch64
openexr-debugsource-3.1.5-1.amzn2023.0.9.aarch64
src:
openexr-3.1.5-1.amzn2023.0.9.src
x86_64:
openexr-libs-debuginfo-3.1.5-1.amzn2023.0.9.x86_64
openexr-debuginfo-3.1.5-1.amzn2023.0.9.x86_64
openexr-libs-3.1.5-1.amzn2023.0.9.x86_64
openexr-3.1.5-1.amzn2023.0.9.x86_64
openexr-devel-3.1.5-1.amzn2023.0.9.x86_64
openexr-debugsource-3.1.5-1.amzn2023.0.9.x86_64