CVE-2025-48072 MEDIUM

CVE-2025-48072: OpenEXR's Inaccurate Pointer Arithmetic can Cause an Out of Bounds Heap

Vendor Academysoftwarefoundation
Product openexr
Weakness CWE-125
Published July 31, 2025
Last update July 31, 2025

CVSS base score

6.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.

Key dates

02Disclosure timeline

July 31, 2025 CVE published
July 31, 2025 Record updated