CVE-2025-59732
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-06

Last updated on: 2025-10-19

Assigner: Google Inc.

Description
When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that the height and width are divisible by 8. If the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8. The buffer td->uncompressed_dataΒ is allocated in decode_blockΒ based on the precise height and width of the image, so the "rounded-up" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at [2] can corrupt following heap memory. We recommend upgrading to version 8.0 or beyond.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-06
Last Modified
2025-10-19
Generated
2026-06-16
AI Q&A
2025-10-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59732
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openexr openexr *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when decoding an OpenEXR file that uses DWAA or DWAB compression. The decoding process assumes that the image's height and width are divisible by 8. If they are not, the copy loops will write beyond the allocated buffer size, which is based on the actual height and width. This causes a buffer overflow that can corrupt adjacent heap memory.

Impact Analysis

The vulnerability can lead to heap memory corruption due to buffer overflow when processing specially crafted OpenEXR files. This can potentially be exploited to cause crashes, data corruption, or arbitrary code execution, depending on the context in which the vulnerable code is used.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade to OpenEXR version 8.0 or beyond.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59732. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart