Openexr

OpenEXR Python InputFile Heap Overflow 3.2.0-3.4.2
CVE-2025-64182 - November 10, 2025

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects. Integer overflow and unchecked allocation in InputFile.channel() and InputFile.channels() can lead to heap overflow (32 bit) or a NULL deref (64 bit). Versions 3.2.5, 3.3.6, and 3.4.3 contain a patch for the issue.

Classic Buffer Overflow

OpenEXR 3.x Unvalidated DataWindow Causing Memory DoS
CVE-2025-48074 5.5 - Medium - August 01, 2025

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.

Allocation of Resources Without Limits or Throttling

OpenEXR 3.3.0-3.3.2 Heap Buffer Overflow on ZIPS Decompression (RCE)
CVE-2025-48071 7.8 - High - July 31, 2025

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3.

Heap-based Buffer Overflow

RCE via Heap Overflow in OpenEXR v3.3.2
CVE-2025-48072 9.1 - Critical - July 31, 2025

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3.

Out-of-bounds Read

OpenEXR 3.3.2 DoS via Null Ptr Deref in reduceMemory deep scanline read
CVE-2025-48073 6.2 - Medium - July 31, 2025

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3.

NULL Pointer Dereference

OpenEXR <=3.2.3 Local DoS via exrmultipart.cpp convert()
CVE-2024-31047 - April 08, 2024

An issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.

Heap Overflow in OpenEXR 3.2.1 or earlier due to scanline sample validation
CVE-2023-5841 9.1 - Critical - February 01, 2024

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.

Heap-based Buffer Overflow

OpenEXR B44Compressor Memory Exhaustion (CVE-2021-20298)
CVE-2021-20298 - August 23, 2022

A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.

Resource Exhaustion

OpenEXR hufDecode Right-Shift Error Enables Service Disruption
CVE-2021-20304 - August 23, 2022

A flaw was found in OpenEXR's hufDecode functionality. This flaw allows an attacker who can pass a crafted file to be processed by OpenEXR, to trigger an undefined right shift error. The highest threat from this vulnerability is to system availability.

Integer Overflow or Wraparound

In ImfChromaticities.cpp routine RGBtoXYZ()
CVE-2021-3941 6.5 - Medium - March 25, 2022

In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.

Divide By Zero

An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits
CVE-2021-3933 5.5 - Medium - March 25, 2022

An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.

Integer Overflow or Wraparound

A flaw was found in OpenEXR's Multipart input file functionality
CVE-2021-20299 - March 16, 2022

A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.

NULL Pointer Dereference

A flaw was found in OpenEXR's hufUncompress functionality in OpenEXR/IlmImf/ImfHuf.cpp
CVE-2021-20300 - March 04, 2022

A flaw was found in OpenEXR's hufUncompress functionality in OpenEXR/IlmImf/ImfHuf.cpp. This flaw allows an attacker who can submit a crafted file that is processed by OpenEXR, to trigger an integer overflow. The highest threat from this vulnerability is to system availability.

Integer Overflow or Wraparound

A flaw was found in OpenEXR's TiledInputFile functionality
CVE-2021-20302 - March 04, 2022

A flaw was found in OpenEXR's TiledInputFile functionality. This flaw allows an attacker who can submit a crafted single-part non-image to be processed by OpenEXR, to trigger a floating-point exception error. The highest threat from this vulnerability is to system availability.

Improper Input Validation

A flaw found in function dataWindowForTile() of IlmImf/ImfTiledMisc.cpp
CVE-2021-20303 - March 04, 2022

A flaw found in function dataWindowForTile() of IlmImf/ImfTiledMisc.cpp. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, leading to an out-of-bounds write on the heap. The greatest impact of this flaw is to application availability, with some potential impact to data integrity as well.

Integer Overflow or Wraparound

OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called
CVE-2021-45942 5.5 - Medium - January 01, 2022

OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

Memory Corruption

There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5
CVE-2021-3605 5.5 - Medium - August 25, 2021

There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.

Buffer Overflow

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5
CVE-2021-3598 5.5 - Medium - July 06, 2021

There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.

Buffer Overflow

An integer overflow leading to a heap-buffer overflow was found in OpenEXR in versions before 3.0.1
CVE-2021-26945 5.5 - Medium - June 08, 2021

An integer overflow leading to a heap-buffer overflow was found in OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.

Integer Overflow or Wraparound

A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1
CVE-2021-23169 8.8 - High - June 08, 2021

A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled against OpenEXR.

Memory Corruption

An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1
CVE-2021-23215 5.5 - Medium - June 08, 2021

An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.

Resource Exhaustion

An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1
CVE-2021-26260 5.5 - Medium - June 08, 2021

An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR. This is a different flaw from CVE-2021-23215.

Resource Exhaustion

A flaw was found in OpenEXR in versions before 3.0.0-beta
CVE-2021-20296 - April 01, 2021

A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could cause a NULL pointer dereference. The highest threat from this vulnerability is to system availability.

NULL Pointer Dereference

There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta
CVE-2021-3477 5.5 - Medium - March 31, 2021

There's a flaw in OpenEXR's deep tile sample size calculations in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger an integer overflow, subsequently leading to an out-of-bounds read. The greatest risk of this flaw is to application availability.

Out-of-bounds Read

There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta
CVE-2021-3478 5.5 - Medium - March 31, 2021

There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory. The greatest impact of this flaw is to system availability.

Resource Exhaustion

There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta
CVE-2021-3479 5.5 - Medium - March 31, 2021

There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption of memory, resulting in an impact to system availability.

Resource Exhaustion

There's a flaw in OpenEXR in versions before 3.0.0-beta
CVE-2021-3474 5.3 - Medium - March 30, 2021

There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted input file that is processed by OpenEXR could cause a shift overflow in the FastHufDecoder, potentially leading to problems with application availability.

Integer Overflow or Wraparound

There is a flaw in OpenEXR in versions before 3.0.0-beta
CVE-2021-3475 5.3 - Medium - March 30, 2021

There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with application availability.

Integer Overflow or Wraparound

A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta
CVE-2021-3476 5.3 - Medium - March 30, 2021

A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially affecting application availability.

Integer Overflow or Wraparound

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp
CVE-2020-16587 - December 09, 2020

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp
CVE-2020-16588 - December 09, 2020

A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file.

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp
CVE-2020-16589 - December 09, 2020

A head-based buffer overflow exists in Academy Software Foundation OpenEXR 2.3.0 in writeTileData in ImfTiledOutputFile.cpp that can cause a denial of service via a crafted EXR file.

An issue was discovered in OpenEXR before v2.5.2
CVE-2020-15306 5.5 - Medium - June 26, 2020

An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.

Memory Corruption

An issue was discovered in OpenEXR before 2.5.2
CVE-2020-15305 5.5 - Medium - June 26, 2020

An issue was discovered in OpenEXR before 2.5.2. Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp.

Dangling pointer

An issue was discovered in OpenEXR before 2.5.2
CVE-2020-15304 5.5 - Medium - June 26, 2020

An issue was discovered in OpenEXR before 2.5.2. An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference.

NULL Pointer Dereference

An issue was discovered in OpenEXR before 2.4.1
CVE-2020-11759 - April 14, 2020

An issue was discovered in OpenEXR before 2.4.1. Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer.

An issue was discovered in OpenEXR before 2.4.1
CVE-2020-11758 - April 14, 2020

An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read in ImfOptimizedPixelReading.h.

An issue was discovered in OpenEXR before 2.4.1
CVE-2020-11760 - April 14, 2020

An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp.

An issue was discovered in OpenEXR before 2.4.1
CVE-2020-11761 - April 14, 2020

An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp.

An issue was discovered in OpenEXR before 2.4.1
CVE-2020-11762 - April 14, 2020

An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case.

An issue was discovered in OpenEXR before 2.4.1
CVE-2020-11763 - April 14, 2020

An issue was discovered in OpenEXR before 2.4.1. There is an std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp.

An issue was discovered in OpenEXR before 2.4.1
CVE-2020-11764 - April 14, 2020

An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp.

An issue was discovered in OpenEXR before 2.4.1
CVE-2020-11765 - April 14, 2020

An issue was discovered in OpenEXR before 2.4.1. There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.

Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file
CVE-2017-14988 5.5 - Medium - October 03, 2017

Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid

Resource Exhaustion

In OpenEXR 2.2.0
CVE-2017-12596 - August 07, 2017

In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled execution; it may result in denial of service or possibly unspecified other impact.

In OpenEXR 2.2.0
CVE-2017-9110 - May 21, 2017

In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash.

In OpenEXR 2.2.0
CVE-2017-9116 - May 21, 2017

In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function in ImfZip.cpp could cause the application to crash.

In OpenEXR 2.2.0
CVE-2017-9115 - May 21, 2017

In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function in half.h could cause the application to crash or execute arbitrary code.

In OpenEXR 2.2.0
CVE-2017-9114 - May 21, 2017

In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash.

In OpenEXR 2.2.0
CVE-2017-9113 - May 21, 2017

In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp could cause the application to crash or execute arbitrary code.