CVE-2025-48071 — Heap-based Buffer Overflow in Openexr

CWE-122 — Heap-based Buffer Overflow6 documents5 sources

Severity

8.4HIGHNVD

EPSS

0.0%

top 89.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openexr Academysoftwarefoundation Openexr Debian Openexr

Timeline

PublishedJul 31

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDopenexr/openexr3.3.0 — 3.3.3

▶PyPIopenexr/openexr3.3.0 — 3.3.3

▶debiandebian/openexr

▶CVEListV5academysoftwarefoundation/openexr>= 3.3.0, < 3.3.3

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

OpenEXR Heap-Based Buffer Overflow in Deep Scanline Parsing via Forged Unpacked Size↗2025-07-31

▶

GHSA

OpenEXR Heap-Based Buffer Overflow in Deep Scanline Parsing via Forged Unpacked Size↗2025-07-31

▶

OSV

CVE-2025-48071: OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry↗2025-07-31

▶

📋Vendor Advisories

Red Hat

openexr: OpenEXR Heap-Based Buffer Overflow↗2025-07-31

▶

Debian

CVE-2025-48071: openexr - OpenEXR provides the specification and reference implementation of the EXR file ...↗2025

▶