OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48071.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-122"
]
}"2026-07-09T15:34:22Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48071.json"
[
{
"id": "CVE-2025-48071-b9cfc41c",
"digest": {
"line_hashes": [
"236554309323941681442902780184542278622",
"215692014661767331559617667733471439449",
"17146640194290669469922204778186888796",
"253648945683594711445023860716404119097"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/academysoftwarefoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f",
"deprecated": false,
"target": {
"file": "src/lib/OpenEXRCore/internal_zip.c"
}
},
{
"id": "CVE-2025-48071-f6e27b48",
"digest": {
"function_hash": "189907468790423021866405460083792139662",
"length": 468.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/academysoftwarefoundation/openexr/commit/916cc729e24aa16b86d82813f6e136340ab2876f",
"deprecated": false,
"target": {
"function": "undo_zip_impl",
"file": "src/lib/OpenEXRCore/internal_zip.c"
}
}
]