OpenEXR’s Unbounded File Header Values can Lead to Out-Of-Memory Errors

4.6 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.

Basic Information

ID CVE-2025-48074

Source GitHub_M

Published Aug 1, 2025 at 16:32

Modified Aug 1, 2025 at 17:09

Affected Product

Vendor AcademySoftwareFoundation

Product openexr

Version >= 3.3.2, < 3.3.3

Affected Versions AcademySoftwareFoundation openexr >= 3.3.2, < 3.3.3

CWE Classification

CWE-770

References

{
    "lastseen": "",
    "description": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.",
    "published": "2025-08-01T16:32:54.595Z",
    "modified": "2025-08-01T17:09:00.696Z",
    "type": "cve",
    "title": "OpenEXR's Unbounded File Header Values can Lead to Out-Of-Memory Errors",
    "source": "GitHub_M",
    "references": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-x22w-82jp-8rvf\nhttps://github.com/ShielderSec/poc/tree/main/CVE-2025-48074",
    "id": "CVE-2025-48074",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "AcademySoftwareFoundation openexr >= 3.3.2, < 3.3.3",
    "sourceHref": "",
    "cvss": {
        "score": 4.6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "openexr",
    "version": ">= 3.3.2, < 3.3.3",
    "vendor": "AcademySoftwareFoundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenEXR’s Unbounded File Header Values can Lead to Out-Of-Memory Errors_CVE-2025-48074