CVE-2025-48074

CVE-2025-48074

Name

CVE-2025-48074

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf
MISC	https://github.com/ShielderSec/poc/tree/main/CVE-2025-48074

Type

URI

CONFIRM

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf

MISC

https://github.com/ShielderSec/poc/tree/main/CVE-2025-48074

CPE URI	Source package	Min version	Max version
	openexr	>= 3.3.2	< 3.3.3
`cpe:2.3:a:openexr:openexr:3.3.2:::::::*`	openexr	== None	== 3.3.2

CPE URI

Source package

Min version

Max version

openexr

>= 3.3.2

< 3.3.3

cpe:2.3:a:openexr:openexr:3.3.2:*:*:*:*:*:*:*

openexr

== None

== 3.3.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openexr	edge-community	3.3.2-r0	Mark Riedesel <mark+alpine@klowner.com>	possibly vulnerable
openexr	3.22-community	3.3.2-r0	Mark Riedesel <mark+alpine@klowner.com>	possibly vulnerable
openexr	edge-community	3.4.2-r0	Théo Zanchi <theo.zanchi@gmail.com>	fixed

Source package

Branch

Version

Maintainer

Status

openexr

edge-community

3.3.2-r0

Mark Riedesel <mark+alpine@klowner.com>

possibly vulnerable

openexr

3.22-community