Vulnerability Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openexr | Openexr | >= 3.3.0, < 3.3.6 |
Related Weaknesses (CWE)
References
- https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3hExploitVendor Advisory
- https://github.com/user-attachments/files/23024726/archive0.zipBroken Link
- https://github.com/user-attachments/files/23024736/archive1.zipBroken Link
- https://github.com/user-attachments/files/23024740/archive2.zipBroken Link
- https://github.com/user-attachments/files/23024744/archive3.zipBroken Link
- https://github.com/user-attachments/files/23024746/archive4.zipBroken Link
- https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3hExploitVendor Advisory
FAQ
What is CVE-2025-64181?
CVE-2025-64181 is a vulnerability with a CVSS score of 7.5 (HIGH). OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2...
How severe is CVE-2025-64181?
CVE-2025-64181 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64181?
Check the references section above for vendor advisories and patch information. Affected products include: Openexr Openexr.