Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-64181

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.

Published

2025-11-10T22:15:36.933

Last Modified

2025-12-08T15:59:58.893

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-457

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openexr	openexr	< 3.3.6	Yes
Application	openexr	openexr	< 3.4.3	Yes

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq Exploit, Vendor Advisory ([email protected])
https://github.com/user-attachments/files/23024726/archive0.zip Broken Link ([email protected])
https://github.com/user-attachments/files/23024736/archive1.zip Broken Link ([email protected])
https://github.com/user-attachments/files/23024740/archive2.zip Broken Link ([email protected])
https://github.com/user-attachments/files/23024744/archive3.zip Broken Link ([email protected])
https://github.com/user-attachments/files/23024746/archive4.zip Broken Link ([email protected])
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)