CVE-2025-48072

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361	Patch
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3	Release Notes
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openexr:openexr:3.3.2:*:*:*:*:*:*:*

History

13 Aug 2025, 20:23

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openexr:openexr:3.3.2:::::::*
References	~~() https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361 -~~	() https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361 - Patch
References	~~() https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3 -~~	() https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3 - Release Notes
References	~~() https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43 -~~	() https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
First Time		Openexr Openexr openexr

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) OpenEXR proporciona la especificación y la implementación de referencia del formato de archivo EXR, un formato de almacenamiento de imágenes para la industria cinematográfica. La versión 3.3.2 es vulnerable a un desbordamiento de búfer basado en el montón durante una operación de lectura debido a un cálculo incorrecto del puntero al descomprimir archivos EXR de línea de escaneo empaquetados con DWAA con un fragmento falsificado maliciosamente. Esto se corrige en la versión 3.3.3.

31 Jul 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-31 21:15

Updated : 2025-08-13 20:23

NVD link : CVE-2025-48072

Mitre link : CVE-2025-48072

CVE.ORG link : CVE-2025-48072

JSON object : View

Products Affected

openexr

openexr

CWE

CWE-125

Out-of-bounds Read

9.1 /10