Run-Length Encoding Oversight in OpenEXR Files from Vendor Product
CVE-2025-59731

6.9MEDIUM

Key Information:

Vendor: Ffmpeg
Status: Ffmpeg
Vendor: CVE Published:; 6 October 2025

What is CVE-2025-59731?

A vulnerability exists in the decoding process of OpenEXR files that utilize DWAA or DWAB compression formats. The system does not adequately verify the specified raw length of run-length-encoded (RLE) data before using it to calculate output data dimensions. This oversight can lead to potential buffer overflows as the application may attempt to access memory beyond the allocated bounds of the RLE data buffer. To mitigate this issue, users are advised to upgrade to version 8.0 or later.

Affected Version(s)

FFmpeg 9a32b863074ed4140141e0d3613905c6f1fe61c5 < 8.0

FFmpeg 7.1.1 < 8.0

References

https://b.corp.google.com/issues/436510153

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 6, 2025
Vulnerability Reserved
Sep 19, 2025

Credit

Google Big Sleep

JSON

Ffmpeg

What is CVE-2025-59731?

Affected Version(s)

References

CVSS V4

Timeline

Credit