Low severityNVD Advisory· Published Nov 10, 2025· Updated Nov 12, 2025
OpenEXR Makes Use of Uninitialized Memory
CVE-2025-64181
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing openexr_exrcheck_fuzzer, Valgrind reports a conditional branch depending on uninitialized data inside generic_unpack. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenEXRPyPI | >= 3.3.0, < 3.3.6 | 3.3.6 |
OpenEXRPyPI | >= 3.4.0, < 3.4.3 | 3.4.3 |
Affected products
6- ghsa-coords5 versionspkg:pypi/openexrpkg:rpm/opensuse/openexr&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/openexr&distro=openSUSE%20Tumbleweedpkg:rpm/suse/openexr&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/openexr&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
>= 3.3.0, < 3.3.6+ 4 more
- (no CPE)range: >= 3.3.0, < 3.3.6
- (no CPE)range: < 3.2.2-160000.3.1
- (no CPE)range: < 3.4.3-1.1
- (no CPE)range: < 3.2.2-160000.3.1
- (no CPE)range: < 3.2.2-160000.3.1
- AcademySoftwareFoundation/openexrv5Range: >= 3.3.0, < 3.3.6
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-3h9h-qfvw-98hqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64181ghsaADVISORY
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.