When decoding an OpenEXR file that uses DWAA or DWAB compression, the specified raw length of run-length-encoded data is not checked when using it to calculate the output data.
We read rlerawsize from the input file at [0], we decompress and decode into the buffer td->rlerawdata of size rlerawsize at [1], and then at [2] we will access entries in this buffer up to (td->xsize - 1) * (td->ysize - 1) + rlerawsize / 2, which may exceed rlerawsize.
We recommend upgrading to version 8.0 or beyond.
{
"license": "CC-BY-4.0",
"sources": [
{
"id": "CVE-2025-59731",
"published": "2025-10-06T08:15:34.770Z",
"modified": "2026-06-17T09:46:36.573Z",
"html_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59731",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-59731",
"database_specific": {
"status": "Deferred"
},
"imported": "2026-06-26T19:19:59.725Z"
},
{
"id": "GHSA-p7r5-qh99-qchm",
"modified": "2025-10-19T15:31:16Z",
"html_url": "https://github.com/advisories/GHSA-p7r5-qh99-qchm",
"url": "https://api.github.com/advisories/GHSA-p7r5-qh99-qchm",
"published": "2025-10-06T09:30:20Z",
"imported": "2026-06-26T19:19:26.621Z"
},
{
"id": "EUVD-2025-32181",
"modified": "2026-02-26T17:48:18Z",
"html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-32181",
"url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2025-32181",
"published": "2025-10-06T08:09:23Z",
"imported": "2026-06-26T19:19:09.468Z"
}
]
}