CVE-2025-59733: 
Ffmpeg vulnerability analysis and mitigation

CVE-2025-59733 is a vulnerability discovered in OpenEXR file processing when using DWAA or DWAB compression. The vulnerability was disclosed on October 6, 2025, and affects systems that handle OpenEXR image files. The issue stems from an implicit assumption in the channel parsing code that all image channels have the same pixel type and size, and that in cases with four channels, they follow a specific 'B', 'G', 'R', 'A' order (NVD CVE).

The vulnerability occurs in the decodeheader function where the buffer td->uncompresseddata is allocated in decodeblock based on xsize, ysize, and computed currentchanneloffset. The dwauncompress function makes assumptions about channel types and ordering that can be exploited. When main color channels are set to a 4-byte type and duplicate or unknown channels of the 2-byte EXRHALF type are added, the pointer increment calculation at [7] (4-bytes xsize nbchannels) exceeds the allocated buffer size. The vulnerability has been assigned a CVSS 4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N (NVD CVE).

The vulnerability can lead to an out-of-bounds write condition (CWE-787) when processing specially crafted OpenEXR files. This could potentially allow attackers to corrupt memory and possibly execute arbitrary code through buffer overflow exploitation (NVD CVE).

The recommended mitigation is to upgrade to version 8.0 or beyond of the affected software. This version contains fixes that address the vulnerability in the OpenEXR file processing (NVD CVE).