Use of Uninitialized Memory in OpenEXR Image Format by Academy Software Foundation
CVE-2025-64181

2LOW

Key Information:

Vendor

Academysoftwarefoundation

Status
Openexr
Vendor
CVE Published:
10 November 2025

What is CVE-2025-64181?

The OpenEXR implementation, used extensively in the motion picture industry, has a vulnerability that allows conditional branches to be determined by uninitialized data within its generic_unpack component. This flaw, identified during fuzz testing via Valgrind, can result in unexpected behaviors, including potential crashes or service denial. Users should upgrade to versions 3.3.6 or 3.4.3, which contain patches addressing this issue.

Affected Version(s)

openexr >= 3.3.0, < 3.3.6 < 3.3.0, 3.3.6

openexr >= 3.4.0, < 3.4.3 < 3.4.0, 3.4.3

References

https://github.com/AcademySoftwareFoundation/openexr/secu...
x_refsource_CONFIRM
https://github.com/user-attachments/files/23024726/archiv...
x_refsource_MISC
https://github.com/user-attachments/files/23024736/archiv...
x_refsource_MISC

CVSS V4

Score:
2
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64181 : Use of Uninitialized Memory in OpenEXR Image Format by Academy Software Foundation