logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-48074 openexr

Package

Manager: pip
Name: openexr
Vulnerable Version: =3.3.2 || >=3.3.2 <3.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00023 pctl0.04495

Details

OpenEXR Out-Of-Memory via Unbounded File Header Values ### Summary The OpenEXR file format defines many information about the final image inside of the file header, such as the size of data/display window. The application trusts the value of `dataWindow` size provided in the header of the input file, and performs computations based on this value. This may result in unintended behaviors, such as excessively large number of iterations and/or huge memory allocations. ### Details A concrete example of this issue is present in the function `readScanline()` in `ImfCheckFile.cpp` at line 235, that performs a for-loop using the `dataWindow min.y` and `max.y` coordinates that can be arbitrarily large. ```cpp in.setFrameBuffer (i); int step = 1; // // try reading scanlines. Continue reading scanlines // even if an exception is encountered // for (int y = dw.min.y; y <= dw.max.y; y += step) // <-- THIS LOOP IS EXCESSIVE BECAUSE OF DW.MAX { try { in.readPixels (y); } catch (...) { threw = true; // // in reduceTime mode, fail immediately - the file is corrupt // if (reduceTime) { return threw; } } } ``` Another example occurs in the `EnvmapImage::resize` function that in turn calls `Array2D<T>::resizeEraseUnsafe` passing the `dataWindow` X and Y coordinates and perform a huge allocation. On some system, the allocator will simply return `std::bad_alloc` and crash. On other systems such as macOS, the allocator will happily continue with a "small" pre-allocation and allocate further memory whenever it is accessed. This is the case with the `EnvmapImage::clear` function that is called right after and fills the image RGB values with zeros, allocating tens of Gigabytes. ### PoC NOTE: please download the `oom_crash.exr` file via the following link: https://github.com/ShielderSec/poc/tree/main/CVE-2025-48074 1. Compile the `exrcheck` binary in a macOS or GNU/Linux machine with ASAN. 2. Open the `oom_crash.exr` file with the following command: ``` exrcheck oom_crash.exr ``` 3. Notice that `exrenvmap`/`exrcheck` crashes with ASAN stack-trace. ### Impact An attacker could cause a denial of service by stalling the application or exhaust memory by stalling the application in a loop which contains a memory leakage.

Metadata

Created: 2025-07-31T19:23:18Z
Modified: 2025-08-01T18:35:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-x22w-82jp-8rvf/GHSA-x22w-82jp-8rvf.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-x22w-82jp-8rvf
Finding: F067
Auto approve: 1