OpenEXR has buffer overflow in PyOpenEXR_old's channels() and channel()
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in OpenEXR's legacy Python InputFile adapter leads to heap overflow (32-bit) or NULL deref (64-bit) when processing attacker-controlled EXR files.
Root
Cause CVE-2025-64182 is a memory safety flaw in the deprecated OpenEXR Python adapter (the OpenEXR.InputFile wrapper). The bug resides in InputFile.channel() and InputFile.channels(), where buffer allocation sizes are computed as typeSize * width * height without any bounds checks [1][4]. On 32-bit systems, integer overflow can wrap the product to a small positive size, causing a heap overflow when readPixels writes data into the undersized buffer. On 64-bit systems, the overflow can cause PyBytes_FromStringAndSize to return NULL, leading to a NULL pointer dereference and crash [4].
Exploitation
The vulnerability can be triggered by opening a specially crafted EXR file or by passing crafted Python objects to the legacy adapter [1]. The attacker does not need special privileges; any application using the deprecated OpenEXR.InputFile is at risk. While the public PoC demonstrates a crash with a malicious header, the unsafe allocation in channel() and channels() allows controlled heap overflow under 32-bit execution [4].
Impact
An attacker capable of supplying a malicious EXR file can cause a denial of service via crash or potentially achieve arbitrary code execution due to heap corruption [1]. The exact impact depends on the system architecture and the memory layout at the time of the overflow.
Mitigation
The issue is patched in OpenEXR versions 3.2.5, 3.3.6, and 3.4.3 [1][4]. Users are strongly advised to update to a patched release or migrate away from the deprecated OpenEXR.InputFile wrapper to the supported openexr module.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenEXRPyPI | >= 3.2.0, < 3.2.5 | 3.2.5 |
OpenEXRPyPI | >= 3.3.0, < 3.3.6 | 3.3.6 |
OpenEXRPyPI | >= 3.4.0, < 3.4.3 | 3.4.3 |
Affected products
2- AcademySoftwareFoundation/openexrv5Range: >= 3.2.0, < 3.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-vh63-9mqx-wmjrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64182ghsaADVISORY
- github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cppghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.