CVE-2025-64181
BaseFortify
Publication date: 2025-11-10
Last updated on: 2025-12-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openexr | openexr | From 3.3.0 (inc) to 3.3.6 (exc) |
| openexr | openexr | From 3.4.0 (inc) to 3.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-457 | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade OpenEXR to version 3.3.6 or 3.4.3 or later, as these versions contain fixes for the use of uninitialized memory issue.
Can you explain this vulnerability to me?
This vulnerability in OpenEXR versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2 involves the use of uninitialized memory inside the function generic_unpack, as detected by Valgrind during fuzzing of openexr_exrcheck_fuzzer. This can lead to undefined behavior or potentially cause the program to crash or experience a denial of service.
How can this vulnerability impact me? :
The vulnerability can cause undefined behavior in applications using the affected OpenEXR versions, which may result in crashes or denial of service conditions, potentially disrupting normal operations.