CVE-2025-48071 (GCVE-0-2025-48071)
Vulnerability from cvelistv5 – Published: 2025-07-31 20:13 – Updated: 2025-07-31 20:22
VLAI?
Title
OpenEXR's Forged Unpacked Size can Lead to Heap-Based Buffer Overflow in Deep Scanline Parsing
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AcademySoftwareFoundation | openexr |
Affected:
>= 3.3.0, < 3.3.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48071",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T20:22:12.430398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:22:23.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openexr",
"vendor": "AcademySoftwareFoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T20:13:14.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f"
},
{
"name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
}
],
"source": {
"advisory": "GHSA-h45x-qhg2-q375",
"discovery": "UNKNOWN"
},
"title": "OpenEXR\u0027s Forged Unpacked Size can Lead to Heap-Based Buffer Overflow in Deep Scanline Parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48071",
"datePublished": "2025-07-31T20:13:14.436Z",
"dateReserved": "2025-05-15T16:06:40.941Z",
"dateUpdated": "2025-07-31T20:22:23.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48071\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-31T20:22:12.430398Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-31T20:22:15.301Z\"}}], \"cna\": {\"title\": \"OpenEXR\u0027s Forged Unpacked Size can Lead to Heap-Based Buffer Overflow in Deep Scanline Parsing\", \"source\": {\"advisory\": \"GHSA-h45x-qhg2-q375\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"AcademySoftwareFoundation\", \"product\": \"openexr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.3.0, \u003c 3.3.3\"}]}], \"references\": [{\"url\": \"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375\", \"name\": \"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f\", \"name\": \"https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3\", \"name\": \"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"CWE-122: Heap-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-31T20:13:14.436Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-48071\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-31T20:22:23.603Z\", \"dateReserved\": \"2025-05-15T16:06:40.941Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-31T20:13:14.436Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CNVD-2025-24799
Vulnerability from cnvd - Published: 2025-10-24
VLAI Severity ?
Title
OpenEXR缓冲区溢出漏洞(CNVD-2025-24799)
Description
OpenEXR是一种高动态范围图像(HDR)文件格式的开放标准。
OpenEXR 3.3.0至3.3.2版本在解压ZIPS压缩的深扫描线EXR文件时,存在堆缓冲区溢出漏洞,该漏洞源于处理恶意构造的块头数据时写入操作越界。攻击者可利用该漏洞通过特制文件触发堆溢出,导致程序崩溃或任意代码执行。
Severity
中
Patch Name
OpenEXR缓冲区溢出漏洞(CNVD-2025-24799)的补丁
Patch Description
OpenEXR是一种高动态范围图像(HDR)文件格式的开放标准。
OpenEXR 3.3.0至3.3.2版本在解压ZIPS压缩的深扫描线EXR文件时,存在堆缓冲区溢出漏洞,该漏洞源于处理恶意构造的块头数据时写入操作越界。攻击者可利用该漏洞通过特制文件触发堆溢出,导致程序崩溃或任意代码执行。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375
Reference
https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375
https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f
https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3
Impacted products
| Name | OpenEXR OpenEXR >=3.3.0,<=3.3.2 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2025-48071",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-48071"
}
},
"description": "OpenEXR\u662f\u4e00\u79cd\u9ad8\u52a8\u6001\u8303\u56f4\u56fe\u50cf\uff08HDR\uff09\u6587\u4ef6\u683c\u5f0f\u7684\u5f00\u653e\u6807\u51c6\u3002\n\nOpenEXR 3.3.0\u81f33.3.2\u7248\u672c\u5728\u89e3\u538bZIPS\u538b\u7f29\u7684\u6df1\u626b\u63cf\u7ebfEXR\u6587\u4ef6\u65f6\uff0c\u5b58\u5728\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5904\u7406\u6076\u610f\u6784\u9020\u7684\u5757\u5934\u6570\u636e\u65f6\u5199\u5165\u64cd\u4f5c\u8d8a\u754c\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u5236\u6587\u4ef6\u89e6\u53d1\u5806\u6ea2\u51fa\uff0c\u5bfc\u81f4\u7a0b\u5e8f\u5d29\u6e83\u6216\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2025-24799",
"openTime": "2025-10-24",
"patchDescription": "OpenEXR\u662f\u4e00\u79cd\u9ad8\u52a8\u6001\u8303\u56f4\u56fe\u50cf\uff08HDR\uff09\u6587\u4ef6\u683c\u5f0f\u7684\u5f00\u653e\u6807\u51c6\u3002\r\n\r\nOpenEXR 3.3.0\u81f33.3.2\u7248\u672c\u5728\u89e3\u538bZIPS\u538b\u7f29\u7684\u6df1\u626b\u63cf\u7ebfEXR\u6587\u4ef6\u65f6\uff0c\u5b58\u5728\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5904\u7406\u6076\u610f\u6784\u9020\u7684\u5757\u5934\u6570\u636e\u65f6\u5199\u5165\u64cd\u4f5c\u8d8a\u754c\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u5236\u6587\u4ef6\u89e6\u53d1\u5806\u6ea2\u51fa\uff0c\u5bfc\u81f4\u7a0b\u5e8f\u5d29\u6e83\u6216\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "OpenEXR\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2025-24799\uff09\u7684\u8865\u4e01",
"products": {
"product": "OpenEXR OpenEXR \u003e=3.3.0\uff0c\u003c=3.3.2"
},
"referenceLink": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375\r\nhttps://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f\r\nhttps://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3",
"serverity": "\u4e2d",
"submitTime": "2025-08-11",
"title": "OpenEXR\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2025-24799\uff09"
}
GHSA-H45X-QHG2-Q375
Vulnerability from github – Published: 2025-07-31 19:12 – Updated: 2025-08-13 21:37
VLAI?
Summary
OpenEXR Heap-Based Buffer Overflow in Deep Scanline Parsing via Forged Unpacked Size
Details
Summary
The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header.
Details
When parsing STORAGE_DEEP_SCANLINE chunks from an EXR file, the following code (from src/lib/OpenEXRCore/chunk.c) is used to extract the chunk information:
if (part->storage_mode == EXR_STORAGE_DEEP_SCANLINE)
// SNIP...
cinfo->sample_count_data_offset = dataoff;
cinfo->sample_count_table_size = (uint64_t) ddata[0];
cinfo->data_offset = dataoff + (uint64_t) ddata[0];
cinfo->packed_size = (uint64_t) ddata[1];
cinfo->unpacked_size = (uint64_t) ddata[2];
// SNIP...
By storing this information, the code that will later decompress and reconstruct the chunk bytes, will know how much space the uncompressed data will occupy.
This size is carried along in the chain of decoding/decompression until the undo_zip_impl function in src/lib/OpenEXRCore/internal_zip.c:
static exr_result_t
undo_zip_impl (
exr_decode_pipeline_t* decode,
const void* compressed_data,
uint64_t comp_buf_size,
void* uncompressed_data,
uint64_t uncompressed_size,
void* scratch_data,
uint64_t scratch_size)
{
size_t actual_out_bytes;
exr_result_t res;
if (scratch_size < uncompressed_size) return EXR_ERR_INVALID_ARGUMENT;
res = exr_uncompress_buffer (
decode->context,
compressed_data,
comp_buf_size,
scratch_data,
scratch_size,
&actual_out_bytes);
if (res == EXR_ERR_SUCCESS)
{
decode->bytes_decompressed = actual_out_bytes;
if (comp_buf_size > actual_out_bytes)
res = EXR_ERR_CORRUPT_CHUNK;
else
internal_zip_reconstruct_bytes (
uncompressed_data, scratch_data, actual_out_bytes);
}
return res;
}
The uncompressed_size comes from the unpacked_size extracted earlier, and the uncompressed_data is a buffer allocated by making space for the size "advertised" in the chunk information.
However, scratch_data and actual_out_bytes will contain, after decompression, the uncompressed data and its size, respectively.
The vulnerability lies in the fact that the undo_zip_impl function lacks code to check whether actual_out_bytes is greater than uncompressed_size.
The effect is that, by setting the unpacked_size in the chunk header smaller than the actual chunk decompressed data, it is possible - in the internal_zip_reconstruct_bytes function - to overflow past the boundaries of a heap chunk.
PoC
NOTE: you can download the heap_overflow.exr file from this link:
https://github.com/ShielderSec/poc/tree/main/CVE-2025-48071
- Compile the
exrcheckbinary in a macOS or GNU/Linux machine with ASAN. - Open the
heap_overflow.exrfile with the following command:
exrcheck heap_overflow.exr
- Notice that
exrcheckcrashes with an ASAN stack-trace.
Impact
An attacker might exploit this vulnerability by feeding a maliciously crafted file to a program that uses the OpenEXR libraries, thus gaining the capability to write an arbitrary amount of bytes in the heap. This could potentially result in code execution in the process.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "OpenEXR"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48071"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-31T19:12:56Z",
"nvd_published_at": "2025-07-31T21:15:27Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe OpenEXRCore code is vulnerable to a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header.\n\n### Details\nWhen parsing `STORAGE_DEEP_SCANLINE` chunks from an EXR file, the following code (from `src/lib/OpenEXRCore/chunk.c`) is used to extract the chunk information:\n\n```cpp\n\nif (part-\u003estorage_mode == EXR_STORAGE_DEEP_SCANLINE)\n// SNIP...\n cinfo-\u003esample_count_data_offset = dataoff;\n cinfo-\u003esample_count_table_size = (uint64_t) ddata[0];\n cinfo-\u003edata_offset = dataoff + (uint64_t) ddata[0];\n cinfo-\u003epacked_size = (uint64_t) ddata[1];\n cinfo-\u003eunpacked_size = (uint64_t) ddata[2];\n// SNIP...\n```\n\nBy storing this information, the code that will later decompress and reconstruct the chunk bytes, will know how much space the uncompressed data will occupy.\n\nThis size is carried along in the chain of decoding/decompression until the `undo_zip_impl` function in `src/lib/OpenEXRCore/internal_zip.c`:\n\n```cpp\nstatic exr_result_t\nundo_zip_impl (\n exr_decode_pipeline_t* decode,\n const void* compressed_data,\n uint64_t comp_buf_size,\n void* uncompressed_data,\n uint64_t uncompressed_size,\n void* scratch_data,\n uint64_t scratch_size)\n{\n size_t actual_out_bytes;\n exr_result_t res;\n\n if (scratch_size \u003c uncompressed_size) return EXR_ERR_INVALID_ARGUMENT;\n\n res = exr_uncompress_buffer (\n decode-\u003econtext,\n compressed_data,\n comp_buf_size,\n scratch_data,\n scratch_size,\n \u0026actual_out_bytes);\n\n if (res == EXR_ERR_SUCCESS)\n {\n decode-\u003ebytes_decompressed = actual_out_bytes;\n if (comp_buf_size \u003e actual_out_bytes)\n res = EXR_ERR_CORRUPT_CHUNK;\n else\n internal_zip_reconstruct_bytes (\n uncompressed_data, scratch_data, actual_out_bytes);\n }\n\n return res;\n}\n```\n\nThe `uncompressed_size`\u00a0comes from the `unpacked_size`\u00a0extracted earlier, and the `uncompressed_data` is a buffer allocated by making space for the size \"advertised\" in the chunk information.\n\nHowever, `scratch_data` and `actual_out_bytes` will contain, after decompression, the uncompressed data and its size, respectively. \n\nThe vulnerability lies in the fact that the `undo_zip_impl` function lacks code to check whether `actual_out_bytes` is greater than `uncompressed_size`. \n\nThe effect is that, by setting the `unpacked_size` in the chunk header smaller than the actual chunk decompressed data, it is possible - in the `internal_zip_reconstruct_bytes` function - to overflow past the boundaries of a heap chunk.\n\n### PoC\n\nNOTE: you can download the `heap_overflow.exr` file from this link:\n\nhttps://github.com/ShielderSec/poc/tree/main/CVE-2025-48071\n\n1. Compile the `exrcheck` binary in a macOS or GNU/Linux machine with ASAN.\n2. Open the `heap_overflow.exr` file with the following command:\n\n```\nexrcheck heap_overflow.exr\n```\n\n3. Notice that `exrcheck` crashes with an ASAN stack-trace.\n\n\n### Impact\n\nAn attacker might exploit this vulnerability by feeding a maliciously crafted file to a program that uses the OpenEXR libraries, thus gaining the capability to write an arbitrary amount of bytes in the heap. This could potentially result in code execution in the process.",
"id": "GHSA-h45x-qhg2-q375",
"modified": "2025-08-13T21:37:55Z",
"published": "2025-07-31T19:12:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48071"
},
{
"type": "WEB",
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f"
},
{
"type": "PACKAGE",
"url": "https://github.com/AcademySoftwareFoundation/openexr"
},
{
"type": "WEB",
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
},
{
"type": "WEB",
"url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48071"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenEXR Heap-Based Buffer Overflow in Deep Scanline Parsing via Forged Unpacked Size"
}
FKIE_CVE-2025-48071
Vulnerability from fkie_nvd - Published: 2025-07-31 21:15 - Updated: 2025-08-13 19:18
Severity ?
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5283F944-763E-473E-89E7-C615B17E663D",
"versionEndExcluding": "3.3.3",
"versionStartIncluding": "3.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3."
},
{
"lang": "es",
"value": "OpenEXR proporciona la especificaci\u00f3n y la implementaci\u00f3n de referencia del formato de archivo EXR, un formato de almacenamiento de im\u00e1genes para la industria cinematogr\u00e1fica. En las versiones 3.3.2 a 3.3.0, se produce un desbordamiento de b\u00fafer en el mont\u00f3n durante una operaci\u00f3n de escritura al descomprimir archivos EXR de l\u00ednea de escaneo profundo comprimidos en ZIPS con un encabezado de fragmento falsificado maliciosamente. Esto se solucion\u00f3 en la versi\u00f3n 3.3.3."
}
],
"id": "CVE-2025-48071",
"lastModified": "2025-08-13T19:18:51.740",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-31T21:15:27.990",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-122"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…