OpenEXR ScanLineProcess::run_fill NULL Pointer Write In "reduceMemory" Mode
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenEXR 3.3.2 NULL pointer dereference in deep scanline reading with reduceMemory mode causes crash.
Vulnerability
Overview
In OpenEXR version 3.3.2, the ScanLineProcess::run_fill function in ImfDeepScanLineInputFile.cpp writes the fill value into a sample buffer without confirming the buffer is allocated [1][4]. When reduceMemory mode is enabled, a check on the total sample size can skip reading pixel data, leaving the sample buffer as a NULL pointer [4].
Exploitation
An attacker can provide a crafted EXR file containing a deep scanline image with a large sample count. Running the exrcheck tool with the -m flag (reduceMemory mode) on this file triggers a write operation through the NULL pointer, causing a crash [3][4]. No special authentication is required beyond the ability to load the malformed image.
Impact
Successful exploitation results in a denial-of-service condition—the application crashes due to a NULL pointer dereference in a write operation [1][4]. The attacker cannot achieve code execution or data exfiltration based on the available information.
Mitigation
The vulnerability is fixed in OpenEXR version 3.3.3 [1][2]. Users should update to the latest version. If immediate upgrade is not possible, avoid processing untrusted EXR files in reduceMemory mode as a workaround.
For further details, see the official advisory [4] and proof-of-concept [3].
- NVD - CVE-2025-48073
- GitHub - AcademySoftwareFoundation/openexr: The OpenEXR project provides the specification and reference implementation of the EXR file format, the professional-grade image storage format of the motion picture industry.
- poc/CVE-2025-48073 at main · ShielderSec/poc
- ScanLineProcess::run_fill NULL Pointer Write In "reduceMemory" Mode
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenEXRPyPI | >= 3.3.2, < 3.3.3 | 3.3.3 |
Affected products
2- AcademySoftwareFoundation/openexrv5Range: >= 3.3.2, < 3.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qhpm-86v7-phmmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48073ghsaADVISORY
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-qhpm-86v7-phmmghsax_refsource_CONFIRMWEB
- github.com/ShielderSec/poc/tree/main/CVE-2025-48073ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.