CVE Details
Basic Information
| Title | OpenEXR’s Inaccurate Pointer Arithmetic can Cause an Out of Bounds Heap |
|---|---|
| Type | cve |
| Published | 2025-07-31T20:18:40.598Z |
| Modified | 2025-07-31T20:37:21.287Z |
Product Information
| Vendor | AcademySoftwareFoundation |
|---|---|
| Product | openexr |
| Version | >= 3.3.2, < 3.3.3 |
CVSS Information
| Base Score | 6.8 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N |
AI Analysis
| AI Description | A heap-based buffer overflow vulnerability in OpenEXR version 3.3.2 can occur during the decompression of maliciously crafted EXR files, potentially leading to memory corruption. This issue is resolved in version 3.3.3. |
|---|---|
| AI Severity | Medium |
| AI Vendor | AcademySoftwareFoundation |
| AI Product | OpenEXR |
| AI Version | 3.3.2 |
Affected Products
- AcademySoftwareFoundation openexr >= 3.3.2, < 3.3.3
Additional Information
| CWE List | CWE-125 |
|---|---|
| Source | GitHub_M |
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.