CVE-2025-64181: 
NixOS vulnerability analysis and mitigation

CVE-2025-64181 affects OpenEXR, a specification and reference implementation of the EXR file format used in the motion picture industry. The vulnerability was discovered in versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, with a fix released in versions 3.3.6 and 3.4.3. The issue involves the use of uninitialized memory in the genericunpack function, which was identified during fuzzing operations of the openexrexrcheck_fuzzer (GitHub Advisory).

The vulnerability stems from a conditional branch depending on uninitialized data inside the genericunpack function. Valgrind analysis revealed that the unpacker branches on bytes in a scratch buffer that were never written because the decode step didn't fully populate it. The issue occurs when the function reads from the decompressed/expanded pixel buffer to scatter data into the framebuffer. The uninitialized value originates from a heap allocation in the per-tile/per-scanline decode scratch buffer allocated in exrdecoding_run (GitHub Advisory).

The vulnerability can result in undefined behavior and potentially lead to crashes or denial of service conditions. The issue manifests in multiple paths including deep pointers (genericunpackdeeppointers), deep sample table (unpacksampletable), half conversion (halftofloatbuffer_f16c), and deep compositing (CompositeDeepScanLine::readPixels) (GitHub Advisory).

The vulnerability has been fixed in OpenEXR versions 3.3.6 and 3.4.3. Users are advised to upgrade to these patched versions to mitigate the risk (GitHub Advisory).