Heap-based Buffer Overflow in OpenEXR 3.3.2 Affects Academy Software Foundation
CVE-2025-48072

6.8MEDIUM

Key Information:

Vendor

Academysoftwarefoundation

Status
Openexr
Vendor
CVE Published:
31 July 2025

What is CVE-2025-48072?

OpenEXR, an image storage format for the motion picture industry developed by the Academy Software Foundation, is susceptible to a heap-based buffer overflow in version 3.3.2. This vulnerability arises during read operations involving DWAA-packed scan-line EXR files, specifically due to improper pointer calculations when decompressing maliciously crafted chunks of data. Successfully exploiting this vulnerability could lead to potential memory corruption and unauthorized access to sensitive resources. Users are strongly advised to upgrade to version 3.3.3, which addresses and resolves this issue.

Affected Version(s)

openexr >= 3.3.2, < 3.3.3

References

https://github.com/AcademySoftwareFoundation/openexr/secu...
x_refsource_CONFIRM
https://github.com/AcademySoftwareFoundation/openexr/comm...
x_refsource_MISC
https://github.com/AcademySoftwareFoundation/openexr/rele...
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.