Use-After-Free Vulnerability in OpenEXR Affects Software Products by Academy Software Foundation
CVE-2025-64183

5.5MEDIUM

Key Information:

Vendor: Academysoftwarefoundation
Status: Openexr
Vendor: CVE Published:; 10 November 2025

🔔 Create Academysoftwarefoundation Vulnerability Alert

What is CVE-2025-64183?

A use-after-free vulnerability exists in the OpenEXR library’s Python interface, specifically within the PyObject_StealAttrString function implemented in pyOpenEXR_old.cpp. This flaw allows for a dangling pointer to be utilized after its memory has been deallocated, which can lead to accessing freed memory. As a result, applications that invoke APIs like PyLong_AsLong or PyFloat_AsDouble with these pointers may experience undefined behavior. The issue is present in various versions of OpenEXR, but has been patched in subsequent releases.

Affected Version(s)

openexr >= 3.2.0, < 3.2.5 < 3.2.0, 3.2.5

openexr >= 3.3.0, < 3.3.6 < 3.3.0, 3.3.6

openexr >= 3.4.0, < 3.4.3 < 3.4.0, 3.4.3

References

https://github.com/AcademySoftwareFoundation/openexr/secu...

x_refsource_CONFIRM

https://github.com/AcademySoftwareFoundation/openexr/blob...

x_refsource_MISC

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2025
Vulnerability Reserved
Oct 28, 2025

JSON