CVE-2025-48072: OpenEXR Out of Bounds Heap Read due to Bad Pointer Arithmetic in LossyDctDecoder_execute

July 31, 2025 (updated August 1, 2025)

The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk.

References

github.com/AcademySoftwareFoundation/openexr
github.com/AcademySoftwareFoundation/openexr/commit/2d09449427b13a05f7c31a98ab2c4347c23db361
github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.3
github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-4r7w-q3jg-ff43
github.com/ShielderSec/poc/tree/main/CVE-2025-48072
github.com/advisories/GHSA-4r7w-q3jg-ff43
nvd.nist.gov/vuln/detail/CVE-2025-48072

Code Behaviors & Features

Detect and mitigate CVE-2025-48072 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →