CVE-2025-64181

10.11.2025, 22:15

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
GitHub_M	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-457 - Use of Uninitialized Variable
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

References

https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq

https://github.com/user-attachments/files/23024726/archive0.zip

https://github.com/user-attachments/files/23024736/archive1.zip

https://github.com/user-attachments/files/23024740/archive2.zip

https://github.com/user-attachments/files/23024744/archive3.zip

https://github.com/user-attachments/files/23024746/archive4.zip