CVE-2025-48072
Published: 31 July 2025
Summary
CVE-2025-48072 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Openexr Openexr. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the heap buffer overflow by requiring timely remediation through patching to OpenEXR version 3.3.3 or later.
Implements memory protections like ASLR and DEP to prevent exploitation of the heap-based buffer overflow for code execution or crashes.
Requires validation of EXR file inputs to detect and reject maliciously forged DWAA-packed scan-line chunks before decompression.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in OpenEXR file parser allows remote unauthenticated attackers to supply malicious DWAA-packed EXR files for out-of-bounds read leading to info disclosure, DoS, or RCE.
NVD Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when…
more
decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.
Deeper analysisAI
CVE-2025-48072 is a heap-based buffer overflow vulnerability in the OpenEXR reference implementation, version 3.3.2, which provides the specification and codebase for the EXR file format used in the motion picture industry for image storage. The flaw occurs during a read operation due to incorrect pointer arithmetic when decompressing DWAA-packed scan-line EXR files containing a maliciously forged chunk. This issue is classified under CWE-125 (Out-of-bounds Read) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
Remote attackers can exploit this vulnerability without privileges or user interaction by supplying a specially crafted DWAA-packed scan-line EXR file to an affected OpenEXR parser. Successful exploitation could result in high-impact confidentiality violations, such as information disclosure through memory reads, and high-impact availability disruptions, including denial-of-service via application crashes, potentially leading to remote code execution depending on the context and mitigations in place.
The OpenEXR project has addressed this vulnerability in version 3.3.3, as detailed in the security advisory GHSA-4r7w-q3jg-ff43, the release notes at the v3.3.3 tag, and the fixing commit 2d09449427b13a05f7c31a98ab2c4347c23db361. Security practitioners should update to OpenEXR 3.3.3 or later and validate EXR file inputs where possible to mitigate risks in applications processing motion picture imagery.
Details
- CWE(s)