CVE-2025-64182: OpenEXR has buffer overflow in PyOpenEXR_old's channels() and channel()
A memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects.
Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit).
This bug was found with ZeroPath.
References
- github.com/AcademySoftwareFoundation/openexr
- github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr
- github.com/advisories/GHSA-vh63-9mqx-wmjr
- nvd.nist.gov/vuln/detail/CVE-2025-64182
Code Behaviors & Features
Detect and mitigate CVE-2025-64182 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →