CVE-2025-48071: OpenEXR Heap-Based Buffer Overflow in Deep Scanline Parsing via Forged Unpacked Size
(updated )
The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header.
References
- github.com/AcademySoftwareFoundation/openexr
- github.com/AcademySoftwareFoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f
- github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-h45x-qhg2-q375
- github.com/ShielderSec/poc/tree/main/CVE-2025-48071
- github.com/advisories/GHSA-h45x-qhg2-q375
- nvd.nist.gov/vuln/detail/CVE-2025-48071
Code Behaviors & Features
Detect and mitigate CVE-2025-48071 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →