CVE-2025-48074: 
Python vulnerability analysis and mitigation

A memory exhaustion vulnerability (CVE-2025-48074) was discovered in OpenEXR version 3.3.2. The vulnerability was disclosed on July 31, 2025, affecting applications that process OpenEXR image files. The flaw exists in how the application handles dataWindow size values from file headers (OpenEXR Advisory).

The vulnerability stems from OpenEXR's file format handling where it trusts unvalidated dataWindow size values from file headers. The issue specifically manifests in the readScanline() function in ImfCheckFile.cpp at line 235, where a for-loop uses potentially arbitrary large dataWindow min.y and max.y coordinates. Additionally, the EnvmapImage::resize function can trigger huge allocations through Array2D::resizeEraseUnsafe. The vulnerability has been assigned a CVSS v3.1 score of 3.3 (Low) with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (Red Hat).

The vulnerability can lead to excessive memory allocation and performance degradation when processing malicious files. On some systems, this results in std::bad_alloc crashes, while on others (like macOS), it can lead to allocation of tens of gigabytes of memory (OpenEXR Advisory).

The vulnerability has been patched in OpenEXR version 3.3.3. Currently, for unpatched systems, there are no practical mitigation options that meet Red Hat Product Security criteria for ease of use and deployment (Red Hat).