CVE-2025-64182 MEDIUM

CVE-2025-64182: OpenEXR has buffer overflow in PyOpenEXR_old's channels() and channel()

Vendor Academysoftwarefoundation
Product openexr
Weakness CWE-120
Published November 10, 2025
Last update November 14, 2025

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue.

Key dates

02Disclosure timeline

November 10, 2025 CVE published
November 14, 2025 Record updated