CVE-2025-48073: 
Python vulnerability analysis and mitigation

OpenEXR, which provides the specification and reference implementation of the EXR file format for the motion picture industry, was found to contain a vulnerability in version 3.3.2. The vulnerability was discovered and disclosed on July 31, 2025, and was assigned identifier CVE-2025-48073. The issue affects the deep scanline image processing functionality when operating in reduceMemory mode (GitHub Advisory).

The vulnerability is a NULL pointer dereference that occurs in the ScanLineProcess::run_fill function, implemented in src/lib/OpenEXR/ImfDeepScanLineInputFile.cpp. When reading a deep scanline image with a large sample count in reduceMemory mode, the sample buffer is not allocated due to size restrictions, resulting in a potential write operation on a NULL pointer. The vulnerability has been assigned a CVSS 3.1 score indicating Low severity with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L and is classified as CWE-476 (NULL Pointer Dereference) (Red Hat XML, GitHub Advisory).

The vulnerability can lead to a denial of service condition by causing the application to crash when processing specially crafted deep scanline images with large sample counts in reduceMemory mode (GitHub Advisory).

The vulnerability has been fixed in OpenEXR version 3.3.3. Users are advised to upgrade to this version to mitigate the issue. For systems where immediate upgrading is not possible, no alternative workarounds have been provided that meet security criteria (Red Hat XML).