OpenEXR has use after free in PyObject_StealAttrString
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free vulnerability in OpenEXR's pyOpenEXR legacy adapter allows memory corruption when reading image metadata.
Vulnerability
Overview
CVE-2025-64183 is a use-after-free vulnerability found in the OpenEXR library, specifically in the legacy Python adapter file pyOpenEXR_old.cpp [1]. The flaw resides in the function PyObject_StealAttrString, which is designed to steal a string attribute from a Python object. However, instead of properly managing reference counts, the function calls PyObject_GetAttrString to obtain a new reference, immediately decrements that reference (decref), and returns the now-dangling pointer [2]. This pointer is then passed to Python C API functions such as PyLong_AsLong or PyFloat_AsDouble, resulting in a read of freed memory [1][2].
Exploitation
Prerequisites
Exploitation is triggered during the parsing of EXR file metadata. The vulnerable code is invoked in multiple locations, including when reading PixelType.v, Box2i, and V2f attributes from a Python object [1][2]. An attacker could craft a malicious EXR file that, when processed by an application using the vulnerable OpenEXR Python bindings, causes the interpreter to dereference a dangling pointer. No authentication is required; the attack vector is local (file parsing) but can be triggered remotely if an application loads user-supplied EXR files [1].
Impact
Successful exploitation results in a use-after-free condition, which can lead to application crashes or potentially arbitrary code execution in the context of the process reading the file [1]. Given that OpenEXR is widely used in visual effects, rendering, and image processing pipelines, this vulnerability poses a risk to production workflows that handle untrusted EXR files [3].
Mitigation
The issue has been released in versions 3.2.5, 3.3.6, and 3.4.3 [1][2]. Users are strongly advised to update their OpenEXR installations. No workarounds have been publicly documented, and this vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenEXRPyPI | >= 3.2.0, < 3.2.5 | 3.2.5 |
OpenEXRPyPI | >= 3.3.0, < 3.3.6 | 3.3.6 |
OpenEXRPyPI | >= 3.4.0, < 3.4.3 | 3.4.3 |
Affected products
2- AcademySoftwareFoundation/openexrv5Range: >= 3.2.0, < 3.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-57cw-j6vp-2p9mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64183ghsaADVISORY
- github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cppghsax_refsource_MISCWEB
- github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.