CVE-2025-48072: 
Python vulnerability analysis and mitigation

OpenEXR version 3.3.2 contains a vulnerability (CVE-2025-48072) discovered on July 31, 2025, affecting the EXR file format implementation used in the motion picture industry. The vulnerability is a heap-based buffer overflow during read operations, specifically occurring when decompressing DWAA-packed scan-line EXR files with maliciously forged chunks (GitHub Advisory, NVD).

The vulnerability exists in the LossyDctDecoderexecute function within src/lib/OpenEXRCore/internaldwadecoder.h when SSE2 is enabled. The issue stems from incorrect pointer arithmetic where a si128 pointer (src) is incremented by 8*8 as if it were a uint16t pointer, resulting in a 128-byte offset. This miscalculation can lead to out-of-bounds access when processing non-block aligned chunks where width or height is not a multiple of 8. The vulnerability has been assigned a CVSS v4.0 Base Score of 6.8 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability can allow attackers to crash the application and potentially leak sensitive data, including memory addresses that could be used to bypass exploitation mitigations such as ASLR. The issue particularly affects applications processing DWAA-compressed EXR files (GitHub Advisory).

The vulnerability has been patched in OpenEXR version 3.3.3. The fix involves correcting the pointer arithmetic in the LossyDctDecoder_execute function by changing the increment from 'src += 8 * 8' to 'src += 8' (GitHub Release, GitHub Commit).