CVE-2025-48071

Name
CVE-2025-48071
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f
MISC https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3
CONFIRM https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375

Match rules

CPE URI Source package Min version Max version
openexr >= 3.3.0 < 3.3.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openexr edge-community 3.4.2-r0 Théo Zanchi <theo.zanchi@gmail.com> fixed
openexr edge-community 3.3.2-r0 Mark Riedesel <mark+alpine@klowner.com> possibly vulnerable
openexr 3.23-community 3.4.2-r0 Théo Zanchi <theo.zanchi@gmail.com> fixed
openexr 3.22-community 3.3.2-r0 Mark Riedesel <mark+alpine@klowner.com> possibly vulnerable