CVE-2025-64181
Publication date 10 November 2025
Last updated 16 April 2026
Ubuntu priority
Description
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| openexr | 25.10 questing |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-64181
- https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq
- https://github.com/AcademySoftwareFoundation/openexr/commit/72aa3e78acfb99eacae8bfae8bf4e4831634db11
- https://github.com/user-attachments/files/23024726/archive0.zip
- https://github.com/user-attachments/files/23024736/archive1.zip
- https://github.com/user-attachments/files/23024740/archive2.zip
- https://github.com/user-attachments/files/23024744/archive3.zip
- https://github.com/user-attachments/files/23024746/archive4.zip