Vulnerability-Lookup

CVE-2025-48072 (GCVE-0-2025-48072)

Vulnerability from cvelistv5 – Published: 2025-07-31 20:18 – Updated: 2025-07-31 20:37

Title

OpenEXR's Inaccurate Pointer Arithmetic can Cause an Out of Bounds Heap

Summary

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.

Severity ?

6.8 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-125 - Out-of-bounds Read

Assigner

GitHub_M

References

URL

Tags

	https://github.com/AcademySoftwareFoundation/open…	x_refsource_CONFIRM
	https://github.com/AcademySoftwareFoundation/open…	x_refsource_MISC
	https://github.com/AcademySoftwareFoundation/open…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	AcademySoftwareFoundation	openexr	Affected: >= 3.3.2, < 3.3.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48072",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-31T20:37:11.233759Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-31T20:37:21.287Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openexr",
          "vendor": "AcademySoftwareFoundation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.3.2, \u003c 3.3.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-31T20:18:40.598Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43"
        },
        {
          "name": "https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361"
        },
        {
          "name": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
        }
      ],
      "source": {
        "advisory": "GHSA-4r7w-q3jg-ff43",
        "discovery": "UNKNOWN"
      },
      "title": "OpenEXR\u0027s Inaccurate Pointer Arithmetic can Cause an Out of Bounds Heap"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-48072",
    "datePublished": "2025-07-31T20:18:40.598Z",
    "dateReserved": "2025-05-15T16:06:40.942Z",
    "dateUpdated": "2025-07-31T20:37:21.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48072\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-31T20:37:11.233759Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-31T20:37:16.047Z\"}}], \"cna\": {\"title\": \"OpenEXR\u0027s Inaccurate Pointer Arithmetic can Cause an Out of Bounds Heap\", \"source\": {\"advisory\": \"GHSA-4r7w-q3jg-ff43\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"AcademySoftwareFoundation\", \"product\": \"openexr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.3.2, \u003c 3.3.3\"}]}], \"references\": [{\"url\": \"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43\", \"name\": \"https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361\", \"name\": \"https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3\", \"name\": \"https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125: Out-of-bounds Read\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-31T20:18:40.598Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-48072\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-31T20:37:21.287Z\", \"dateReserved\": \"2025-05-15T16:06:40.942Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-31T20:18:40.598Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-4R7W-Q3JG-FF43

Vulnerability from github – Published: 2025-07-31 19:20 – Updated: 2025-08-01 13:29

Summary

OpenEXR Out of Bounds Heap Read due to Bad Pointer Arithmetic in LossyDctDecoder_execute

Details

Summary

The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk.

Details

In the LossyDctDecoder_execute function (from src/lib/OpenEXRCore/internal_dwa_decoder.h, when SSE2 is enabled), the following code is used to copy data from the chunks:

// no-op conversion to linear
for (int y = 8 * blocky; y < 8 * blocky + maxY; ++y)
{
    __m128i* restrict dst = (__m128i *) chanData[comp]->_rows[y];
    __m128i const * restrict src = (__m128i const *)&rowBlock[comp][(y & 0x7) * 8];

    for (int blockx = 0; blockx < numFullBlocksX; ++blockx)
    {
        _mm_storeu_si128 (dst, _mm_loadu_si128 (src)); //

        src += 8 * 8; // <--- si128 pointer incremented as a uint16_t
        dst += 8;
    }
}

The issue arises because the src pointer, which is a si128 pointer, is incremented by 8*8, as if it were a uint16_t pointer (64 * uint16_t == 128 bytes). In non-block aligned chunks (width/height not a multiple of 8), this can cause src to point past the boundaries of the chunk.

PoC

In order to reproduce the PoC with fidelity and avoid undefined behaviors, it is necessary to enable ASAN (and SSE2). Otherwise the out-of-bound read will not be detected until its side-effect causes a crash.

NOTE: please download the dwadecoder_crash.exr file from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-48072

Compile the exrcheck binary in a macOS or GNU/Linux machine with ASAN.
Open the dwadecoder_crash.exr file with the following command:

exrcheck dwadecoder_crash.exr

Notice that exrcheck crashes with ASAN stack-trace.

==2297956==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52500000a110 at pc 0x55e590db7bf1 bp 0x7fff948bb110 sp 0x7fff948bb108
READ of size 16 at 0x52500000a110 thread T0
    #0 0x55e590db7bf0 in LossyDctDecoder_execute /root/openexr/src/lib/OpenEXRCore/internal_dwa_decoder.h:650:48
    #1 0x55e590dae18d in DwaCompressor_uncompress /root/openexr/src/lib/OpenEXRCore/internal_dwa_compressor.h:1132:30
    #2 0x55e590da9960 in internal_exr_undo_dwaa /root/openexr/src/lib/OpenEXRCore/internal_dwa.c:202:18
    #3 0x55e590d42d03 in exr_uncompress_chunk /root/openexr/src/lib/OpenEXRCore/compression.c:516:14
    #4 0x55e590dc3132 in exr_decoding_run /root/openexr/src/lib/OpenEXRCore/decoding.c:580:14
    #5 0x55e590c7d78f in Imf_3_4::(anonymous namespace)::ScanLineProcess::run_decode(_priv_exr_context_t const*, int, Imf_3_4::FrameBuffer const*, int, int, std::vector<Imf_3_4::Slice, std::allocator<Imf_3_4::Slice>> const&) /root/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:585:23
    #6 0x55e590c83ed7 in Imf_3_4::ScanLineInputFile::Data::readPixels(Imf_3_4::FrameBuffer const&, int, int) /root/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:499:21
    #7 0x55e590c73c97 in Imf_3_4::ScanLineInputFile::readPixels(int, int) /root/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:306:12
    #8 0x55e590c73c97 in Imf_3_4::InputFile::Data::readPixels(int, int) /root/openexr/src/lib/OpenEXR/ImfInputFile.cpp:446:20
    #9 0x55e590c1f92f in Imf_3_4::InputFile::readPixels(int) /root/openexr/src/lib/OpenEXR/ImfInputFile.cpp:228:12
    #10 0x55e590c1f92f in Imf_3_4::InputPart::readPixels(int) /root/openexr/src/lib/OpenEXR/ImfInputPart.cpp:70:11
    #11 0x55e590c1f92f in bool Imf_3_4::(anonymous namespace)::readScanline<Imf_3_4::InputPart>(Imf_3_4::InputPart&, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:239:20
    #12 0x55e590c1f92f in Imf_3_4::(anonymous namespace)::readMultiPart(Imf_3_4::MultiPartInputFile&, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:879:28
    #13 0x55e590c155af in bool Imf_3_4::(anonymous namespace)::runChecks<char const*>(char const*&, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1132:21
    #14 0x55e590c155af in Imf_3_4::checkOpenEXRFile(char const*, bool, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1796:19
    #15 0x55e590ba5abe in exrCheck(char const*, bool, bool, bool, bool) /root/openexr/src/bin/exrcheck/main.cpp:96:16
    #16 0x55e590ba6fbe in main /root/openexr/src/bin/exrcheck/main.cpp:164:29
    #17 0x7f4259e2a1c9 in __libc_start_call_main csu/../sysdeps/npthttps://gitlab.com/qemu-project/qemu/-/issuesl/libc_start_call_main.h:58:16
    #18 0x7f4259e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #19 0x55e590ac67d4 in _start (/root/openexr/_build_afl_asan/bin/exrcheck+0x1d87d4) (BuildId: 49c2658b2f9ddef9)

0x52500000a110 is located 752 bytes after 9504-byte region [0x525000007900,0x525000009e20)
allocated by thread T0 here:
    #0 0x55e590b61623 in malloc (/root/openexr/_build_afl_asan/bin/exrcheck+0x273623) (BuildId: 49c2658b2f9ddef9)
    #1 0x55e590db11b1 in LossyDctDecoder_execute /root/openexr/src/lib/OpenEXRCore/internal_dwa_decoder.h:324:22
    #2 0x55e590dae18d in DwaCompressor_uncompress /root/openexr/src/lib/OpenEXRCore/internal_dwa_compressor.h:1132:30
    #3 0x55e590da9960 in internal_exr_undo_dwaa /root/openexr/src/lib/OpenEXRCore/internal_dwa.c:202:18
    #4 0x55e590d42d03 in exr_uncompress_chunk /root/openexr/src/lib/OpenEXRCore/compression.c:516:14

Impact

An attacker could crash the application and in some scenarios also leak data, such as sensitive information or memory addresses that might be used to bypass exploitation mitigations like ASLR.

Severity ?

6.8 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "OpenEXR"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.2"
            },
            {
              "fixed": "3.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.3.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48072"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-31T19:20:05Z",
    "nvd_published_at": "2025-07-31T21:15:28Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe OpenEXRCore code is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk.\n\n### Details\n\nIn the `LossyDctDecoder_execute` function (from `src/lib/OpenEXRCore/internal_dwa_decoder.h`, when SSE2 is enabled), the following code is used to copy data from the chunks:\n\n```cpp\n// no-op conversion to linear\nfor (int y = 8 * blocky; y \u003c 8 * blocky + maxY; ++y)\n{\n    __m128i* restrict dst = (__m128i *) chanData[comp]-\u003e_rows[y];\n    __m128i const * restrict src = (__m128i const *)\u0026rowBlock[comp][(y \u0026 0x7) * 8];\n\n    for (int blockx = 0; blockx \u003c numFullBlocksX; ++blockx)\n    {\n        _mm_storeu_si128 (dst, _mm_loadu_si128 (src)); //\n\n        src += 8 * 8; // \u003c--- si128 pointer incremented as a uint16_t\n        dst += 8;\n    }\n}\n```\n\nThe issue arises because the `src` pointer, which is a `si128` pointer, is incremented by `8*8`, as if it were a `uint16_t`\u00a0pointer (64 * uint16_t == 128 bytes). In non-block aligned chunks (width/height not a multiple of 8), this can cause `src` to point past the boundaries of the chunk.\n\n### PoC\n\nIn order to reproduce the PoC with fidelity and avoid undefined behaviors, it is necessary to enable ASAN (and SSE2). Otherwise the out-of-bound read will not be detected until its side-effect causes a crash.\n\nNOTE: please download the `dwadecoder_crash.exr` file from the following link: \n\nhttps://github.com/ShielderSec/poc/tree/main/CVE-2025-48072\n\n1. Compile the `exrcheck` binary in a macOS or GNU/Linux machine with ASAN.\n2. Open the `dwadecoder_crash.exr` file with the following command:\n\n```\nexrcheck dwadecoder_crash.exr\n```\n\n3. Notice that `exrcheck` crashes with ASAN stack-trace.\n\n```\n==2297956==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x52500000a110 at pc 0x55e590db7bf1 bp 0x7fff948bb110 sp 0x7fff948bb108\nREAD of size 16 at 0x52500000a110 thread T0\n    #0 0x55e590db7bf0 in LossyDctDecoder_execute /root/openexr/src/lib/OpenEXRCore/internal_dwa_decoder.h:650:48\n    #1 0x55e590dae18d in DwaCompressor_uncompress /root/openexr/src/lib/OpenEXRCore/internal_dwa_compressor.h:1132:30\n    #2 0x55e590da9960 in internal_exr_undo_dwaa /root/openexr/src/lib/OpenEXRCore/internal_dwa.c:202:18\n    #3 0x55e590d42d03 in exr_uncompress_chunk /root/openexr/src/lib/OpenEXRCore/compression.c:516:14\n    #4 0x55e590dc3132 in exr_decoding_run /root/openexr/src/lib/OpenEXRCore/decoding.c:580:14\n    #5 0x55e590c7d78f in Imf_3_4::(anonymous namespace)::ScanLineProcess::run_decode(_priv_exr_context_t const*, int, Imf_3_4::FrameBuffer const*, int, int, std::vector\u003cImf_3_4::Slice, std::allocator\u003cImf_3_4::Slice\u003e\u003e const\u0026) /root/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:585:23\n    #6 0x55e590c83ed7 in Imf_3_4::ScanLineInputFile::Data::readPixels(Imf_3_4::FrameBuffer const\u0026, int, int) /root/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:499:21\n    #7 0x55e590c73c97 in Imf_3_4::ScanLineInputFile::readPixels(int, int) /root/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:306:12\n    #8 0x55e590c73c97 in Imf_3_4::InputFile::Data::readPixels(int, int) /root/openexr/src/lib/OpenEXR/ImfInputFile.cpp:446:20\n    #9 0x55e590c1f92f in Imf_3_4::InputFile::readPixels(int) /root/openexr/src/lib/OpenEXR/ImfInputFile.cpp:228:12\n    #10 0x55e590c1f92f in Imf_3_4::InputPart::readPixels(int) /root/openexr/src/lib/OpenEXR/ImfInputPart.cpp:70:11\n    #11 0x55e590c1f92f in bool Imf_3_4::(anonymous namespace)::readScanline\u003cImf_3_4::InputPart\u003e(Imf_3_4::InputPart\u0026, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:239:20\n    #12 0x55e590c1f92f in Imf_3_4::(anonymous namespace)::readMultiPart(Imf_3_4::MultiPartInputFile\u0026, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:879:28\n    #13 0x55e590c155af in bool Imf_3_4::(anonymous namespace)::runChecks\u003cchar const*\u003e(char const*\u0026, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1132:21\n    #14 0x55e590c155af in Imf_3_4::checkOpenEXRFile(char const*, bool, bool, bool) /root/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1796:19\n    #15 0x55e590ba5abe in exrCheck(char const*, bool, bool, bool, bool) /root/openexr/src/bin/exrcheck/main.cpp:96:16\n    #16 0x55e590ba6fbe in main /root/openexr/src/bin/exrcheck/main.cpp:164:29\n    #17 0x7f4259e2a1c9 in __libc_start_call_main csu/../sysdeps/npthttps://gitlab.com/qemu-project/qemu/-/issuesl/libc_start_call_main.h:58:16\n    #18 0x7f4259e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3\n    #19 0x55e590ac67d4 in _start (/root/openexr/_build_afl_asan/bin/exrcheck+0x1d87d4) (BuildId: 49c2658b2f9ddef9)\n\n0x52500000a110 is located 752 bytes after 9504-byte region [0x525000007900,0x525000009e20)\nallocated by thread T0 here:\n    #0 0x55e590b61623 in malloc (/root/openexr/_build_afl_asan/bin/exrcheck+0x273623) (BuildId: 49c2658b2f9ddef9)\n    #1 0x55e590db11b1 in LossyDctDecoder_execute /root/openexr/src/lib/OpenEXRCore/internal_dwa_decoder.h:324:22\n    #2 0x55e590dae18d in DwaCompressor_uncompress /root/openexr/src/lib/OpenEXRCore/internal_dwa_compressor.h:1132:30\n    #3 0x55e590da9960 in internal_exr_undo_dwaa /root/openexr/src/lib/OpenEXRCore/internal_dwa.c:202:18\n    #4 0x55e590d42d03 in exr_uncompress_chunk /root/openexr/src/lib/OpenEXRCore/compression.c:516:14\n```\n\n### Impact\nAn attacker could crash the application and in some scenarios also leak data, such as sensitive information or memory addresses that might be used to bypass exploitation mitigations like ASLR.",
  "id": "GHSA-4r7w-q3jg-ff43",
  "modified": "2025-08-01T13:29:02Z",
  "published": "2025-07-31T19:20:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48072"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AcademySoftwareFoundation/openexr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-48072"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenEXR Out of Bounds Heap Read due to Bad Pointer Arithmetic in LossyDctDecoder_execute"
}

FKIE_CVE-2025-48072

Vulnerability from fkie_nvd - Published: 2025-07-31 21:15 - Updated: 2025-08-13 20:23

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361	Patch
security-advisories@github.com	https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3	Release Notes
security-advisories@github.com	https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	openexr	openexr	3.3.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openexr:openexr:3.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9E8468B-6096-42B1-8235-EBF60FC5A81C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3."
    },
    {
      "lang": "es",
      "value": "OpenEXR proporciona la especificaci\u00f3n y la implementaci\u00f3n de referencia del formato de archivo EXR, un formato de almacenamiento de im\u00e1genes para la industria cinematogr\u00e1fica. La versi\u00f3n 3.3.2 es vulnerable a un desbordamiento de b\u00fafer basado en el mont\u00f3n durante una operaci\u00f3n de lectura debido a un c\u00e1lculo incorrecto del puntero al descomprimir archivos EXR de l\u00ednea de escaneo empaquetados con DWAA con un fragmento falsificado maliciosamente. Esto se corrige en la versi\u00f3n 3.3.3."
    }
  ],
  "id": "CVE-2025-48072",
  "lastModified": "2025-08-13T20:23:43.777",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-31T21:15:28.163",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

CNVD-2025-24798

Vulnerability from cnvd - Published: 2025-10-24

Title

OpenEXR缓冲区溢出漏洞（CNVD-2025-24798）

Description

OpenEXR是一种高动态范围图像（HDR）文件格式的开放标准。 OpenEXR 3.3.2版本存在缓冲区溢出漏洞，该漏洞源于解压恶意伪造数据块的DWAA压缩扫描线EXR文件时，错误的指针运算导致读取操作越界。攻击者可利用该漏洞通过构造恶意数据块触发堆溢出，导致程序崩溃或执行任意代码。

Severity

中

Patch Name

OpenEXR缓冲区溢出漏洞（CNVD-2025-24798）的补丁

Patch Description

OpenEXR是一种高动态范围图像（HDR）文件格式的开放标准。 OpenEXR 3.3.2版本存在缓冲区溢出漏洞，该漏洞源于解压恶意伪造数据块的DWAA压缩扫描线EXR文件时，错误的指针运算导致读取操作越界。攻击者可利用该漏洞通过构造恶意数据块触发堆溢出，导致程序崩溃或执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-48072

Impacted products

Name
OpenEXR OpenEXR 3.3.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-48072",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-48072"
    }
  },
  "description": "OpenEXR\u662f\u4e00\u79cd\u9ad8\u52a8\u6001\u8303\u56f4\u56fe\u50cf\uff08HDR\uff09\u6587\u4ef6\u683c\u5f0f\u7684\u5f00\u653e\u6807\u51c6\u3002\n\nOpenEXR 3.3.2\u7248\u672c\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u89e3\u538b\u6076\u610f\u4f2a\u9020\u6570\u636e\u5757\u7684DWAA\u538b\u7f29\u626b\u63cf\u7ebfEXR\u6587\u4ef6\u65f6\uff0c\u9519\u8bef\u7684\u6307\u9488\u8fd0\u7b97\u5bfc\u81f4\u8bfb\u53d6\u64cd\u4f5c\u8d8a\u754c\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6784\u9020\u6076\u610f\u6570\u636e\u5757\u89e6\u53d1\u5806\u6ea2\u51fa\uff0c\u5bfc\u81f4\u7a0b\u5e8f\u5d29\u6e83\u6216\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-24798",
  "openTime": "2025-10-24",
  "patchDescription": "OpenEXR\u662f\u4e00\u79cd\u9ad8\u52a8\u6001\u8303\u56f4\u56fe\u50cf\uff08HDR\uff09\u6587\u4ef6\u683c\u5f0f\u7684\u5f00\u653e\u6807\u51c6\u3002\r\n\r\nOpenEXR 3.3.2\u7248\u672c\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u89e3\u538b\u6076\u610f\u4f2a\u9020\u6570\u636e\u5757\u7684DWAA\u538b\u7f29\u626b\u63cf\u7ebfEXR\u6587\u4ef6\u65f6\uff0c\u9519\u8bef\u7684\u6307\u9488\u8fd0\u7b97\u5bfc\u81f4\u8bfb\u53d6\u64cd\u4f5c\u8d8a\u754c\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6784\u9020\u6076\u610f\u6570\u636e\u5757\u89e6\u53d1\u5806\u6ea2\u51fa\uff0c\u5bfc\u81f4\u7a0b\u5e8f\u5d29\u6e83\u6216\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "OpenEXR\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2025-24798\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "OpenEXR OpenEXR 3.3.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-48072",
  "serverity": "\u4e2d",
  "submitTime": "2025-08-11",
  "title": "OpenEXR\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff08CNVD-2025-24798\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-48072 (GCVE-0-2025-48072)

GHSA-4R7W-Q3JG-FF43

Summary

Details

PoC

Impact

FKIE_CVE-2025-48072

CNVD-2025-24798

Tags

Sightings

Nomenclature