CVE-2025-48074 — Allocation of Resources Without Limits or Throttling in Openexr

CWE-770 — Allocation of Resources Without Limits or Throttling6 documents5 sources

Severity

4.6MEDIUMNVD

EPSS

0.0%

top 86.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openexr Debian Openexr Academysoftwarefoundation Openexr

Timeline

PublishedAug 1

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages5 packages

▶debiandebian/openexr< openexr 3.4.6+ds-1 (forky)

▶PyPIopenexr/openexr3.3.2 — 3.3.3

▶Debianopenexr/openexr< 3.4.6+ds-1

▶NVDopenexr/openexr3.3.2

▶CVEListV5academysoftwarefoundation/openexr>= 3.3.2, < 3.3.3

🔴Vulnerability Details

OSV

CVE-2025-48074: OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry↗2025-08-01

▶

GHSA

OpenEXR Out-Of-Memory via Unbounded File Header Values↗2025-07-31

▶

OSV

OpenEXR Out-Of-Memory via Unbounded File Header Values↗2025-07-31

▶

📋Vendor Advisories

Red Hat

openexr: OpenEXR memory exhaustion↗2025-08-01

▶

Debian

CVE-2025-48074: openexr - OpenEXR provides the specification and reference implementation of the EXR file ...↗2025

▶