OpenEXR Makes Use of Uninitialized Memory
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing openexr_exrcheck_fuzzer, Valgrind reports a conditional branch depending on uninitialized data inside generic_unpack. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenEXR 3.3.0-3.3.5 and 3.4.0-3.4.2 have a use of uninitialized memory in generic_unpack, leading to potential crash or denial of service.
Vulnerability
Description
OpenEXR versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2 contain a use of uninitialized memory vulnerability in the generic_unpack function. The issue was discovered via fuzzing with Valgrind, which reported a conditional branch depending on uninitialized data. The root cause is that the decoder's scratch buffer (allocated with malloc) is not fully populated before being read by generic_unpack, leading to undefined behavior [1][3].
Attack
Vector and Prerequisites
The vulnerability can be triggered by processing a specially crafted EXR file. No authentication or special network position is required; any application that uses the OpenEXR library to decode untrusted EXR files is potentially affected. The attack surface includes image processing pipelines, rendering software, and any system that handles EXR images [2].
Impact
Successful exploitation can lead to a crash or denial of service due to undefined behavior caused by the uninitialized memory read. The issue is classified as a use of uninitialized memory (CWE-457) and can result in unpredictable program behavior [3].
Mitigation
The vulnerability has been fixed in OpenEXR versions 3.3.6 and 3.4.3 [1][3]. Users are advised to update to these patched versions or later. There are no known workarounds; updating is the recommended course of action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenEXRPyPI | >= 3.3.0, < 3.3.6 | 3.3.6 |
OpenEXRPyPI | >= 3.4.0, < 3.4.3 | 3.4.3 |
Affected products
2- AcademySoftwareFoundation/openexrv5Range: >= 3.3.0, < 3.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3h9h-qfvw-98hqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64181ghsaADVISORY
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.