Login Sign Up

CVE-2025-64182

7.8 HIGH

📋 TL;DR

This vulnerability in OpenEXR's deprecated Python adapter allows memory corruption when processing malicious EXR files. Attackers can cause crashes or potentially execute arbitrary code by exploiting integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() methods. Users of OpenEXR Python bindings in affected versions are at risk.

💻 Affected Systems

Products:
  • OpenEXR with Python bindings
Versions: 3.2.0-3.2.4, 3.3.0-3.3.5, 3.4.0-3.4.2
Operating Systems: All platforms supporting OpenEXR Python bindings
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the deprecated OpenEXR.InputFile wrapper in Python bindings

📦 What is this software?

Openexr by Openexr

View all CVEs affecting Openexr →

Openexr by Openexr

View all CVEs affecting Openexr →

Openexr by Openexr

View all CVEs affecting Openexr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Application crashes causing denial of service and potential data corruption

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, but still vulnerable to crashes

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious EXR files or Python objects

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.5, 3.3.6, 3.4.3

Vendor Advisory: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr

Restart Required: No

Instructions:

1. Identify OpenEXR version. 2. Upgrade to patched version via package manager or source. 3. Rebuild Python bindings if using source. 4. Test with sample EXR files.

🔧 Temporary Workarounds

Disable deprecated Python adapter

all

Replace usage of deprecated OpenEXR.InputFile with modern OpenEXR API

Replace 'import OpenEXR' with 'import OpenEXR3' or use modern bindings

Input validation

all

Validate EXR files before processing with OpenEXR

Implement file signature validation and size limits

🧯 If You Can't Patch

  • Implement strict input validation for all EXR files
  • Sandbox OpenEXR processing in isolated containers or virtual environments

🔍 How to Verify

Check if Vulnerable:

Check OpenEXR version and verify if using deprecated Python bindings

Check Version:

python -c "import OpenEXR; print(OpenEXR.__version__)" or check system package manager

Verify Fix Applied:

Test with known malicious EXR files and verify no crashes occur

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Memory allocation errors in logs
  • Unexpected process termination

Network Indicators:

  • Unusual EXR file uploads to web applications
  • Multiple failed file processing attempts

SIEM Query:

Process termination events from applications using OpenEXR Python bindings

📊 Metadata

CVE ID: CVE-2025-64182
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-120
EPSS Score: 0.02% exploit probability (5th percentile)
Published: November 10, 2025
Last Updated: December 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64182, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)