Image Processing Vulnerability in OpenEXR by Open Source Vendor
CVE-2025-59733

8.7HIGH

Key Information:

Vendor: Ffmpeg
Status: Ffmpeg
Vendor: CVE Published:; 6 October 2025

What is CVE-2025-59733?

A vulnerability has been identified in the OpenEXR image format when decoding files utilizing DWAA or DWAB compression. The issue arises from an assumption in the decoding routine that all image channels utilize the same pixel type and size, specifically the assumption that the first four channels are red, green, blue, and alpha (RGBA). This misalignment can lead to a buffer overflow, particularly when the main color channels are a 4-byte type and there are additional channels of a different type, such as 2-byte EXR_HALF. This overflow can result in memory corruption, which could be leveraged by an attacker to execute arbitrary code. To mitigate this vulnerability, users are advised to upgrade to version 8.0 or later.

Affected Version(s)

FFmpeg 9a32b863074ed4140141e0d3613905c6f1fe61c5 < 8.0

FFmpeg 7.1.1 < 8.0

References

https://b.corp.google.com/issues/436511754

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 6, 2025
Vulnerability Reserved
Sep 19, 2025

Credit

Google Big Sleep

JSON

Ffmpeg

What is CVE-2025-59733?

Affected Version(s)

References

CVSS V4

Timeline

Credit