OpenEXR's Forged Unpacked Size can Lead to Heap-Based Buffer Overflow in Deep Scanline Parsing

Vulnerability

Description

CVE-2025-48071 is a heap-based buffer overflow vulnerability in OpenEXR, the reference implementation of the EXR image format widely used in the motion picture industry for high-dynamic-range imaging [1][2]. The flaw resides in the parsing of STORAGE_DEEP_SCANLINE chunks in ZIPS (Zlib Individual) compressed deep scan-line files [1]. When a maliciously forged chunk header supplies an oversized unpacked_size value, the undo_zip_impl function in src/lib/OpenEXRCore/internal_zip.c allocates insufficient buffer space for the decompressed data, leading to a heap-based buffer overflow during the subsequent write operation [3].

Attack

Vector

An attacker can exploit this vulnerability by crafting a specially designed EXR file containing a forged chunk header that specifies a large unpacked_size [3]. The victim must open the malicious file using an affected version of OpenEXR (3.3.0 through 3.3.2) [1]. No authentication is required; the attack vector is local as the file must be processed on the target system, but the file can be delivered via email, web downloads, or other sharing mechanisms [3]. Proof-of-concept code is publicly available [4], increasing the risk of exploitation.

Impact

Successful exploitation allows an attacker to trigger a heap-based buffer overflow, which can lead to arbitrary code execution in the context of the application processing the EXR file [1][3]. This could result in system compromise, data corruption, or denial of service, depending on how the library is integrated into host software [2][3].

Mitigation

The vulnerability is fixed in OpenEXR version 3.3.3 [1]. Users are strongly advised to upgrade immediately. No workarounds are documented; processing untrusted EXR files with affected versions should be avoided until the update is applied.