PyPI: openexr

CVE-2025-64181

Safety vulnerability ID: SFTY-20260406-51683

Safety legacy ID: pyup.io-92076

Affected versions of the OpenEXR package are vulnerable to Use of Uninitialised Memory due to insufficient post-decode validation of scratch buffers allocated during tile and scanline processing. The generic_unpack function in the decoding pipeline reads from a heap-allocated pixel buffer that was never fully populated by the preceding decode step, causing conditional branches to depend on uninitialized values. An attacker who supplies a crafted EXR file can trigger undefined behavior, potentially resulting in a crash and Denial of Service.

PythonPyPINVDNVDGitHubGHSA
Created at: Apr 7, 2026Updated at: Apr 7, 2026

Overview

OpenEXR Makes Use of Uninitialized Memory

Advisory

Affected versions of the OpenEXR package are vulnerable to Use of Uninitialised Memory due to insufficient post-decode validation of scratch buffers allocated during tile and scanline processing. The generic_unpack function in the decoding pipeline reads from a heap-allocated pixel buffer that was never fully populated by the preceding decode step, causing conditional branches to depend on uninitialized values. An attacker who supplies a crafted EXR file can trigger undefined behavior, potentially resulting in a crash and Denial of Service.

Affected Package

Affecting openexr package, versions
>=3.3.0,<3.3.6
>=3.4.0,<3.4.3

Also affects

---

How to Fix

Upgrade
openexr
to
3.3.6
3.4.3
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more