cnvd - cnvd-2025-24790

cnvd-2025-24790

Vulnerability from cnvd

Title

OpenEXR存在未明漏洞（CNVD-2025-24790）

Description

OpenEXR是一种高动态范围图像（HDR）文件格式的开放标准。 OpenEXR 8.0之前版本存在安全漏洞，攻击者可利用该漏洞导致堆内存损坏。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://b.corp.google.com/issues/436510316

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-59732

Impacted products

Name
OpenEXR OpenEXR <8.0

Show details on source website

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-59732",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-59732"
    }
  },
  "description": "OpenEXR\u662f\u4e00\u79cd\u9ad8\u52a8\u6001\u8303\u56f4\u56fe\u50cf\uff08HDR\uff09\u6587\u4ef6\u683c\u5f0f\u7684\u5f00\u653e\u6807\u51c6\u3002\n\nOpenEXR 8.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u5806\u5185\u5b58\u635f\u574f\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://b.corp.google.com/issues/436510316",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-24790",
  "openTime": "2025-10-24",
  "products": {
    "product": "OpenEXR OpenEXR \u003c8.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-59732",
  "serverity": "\u4e2d",
  "submitTime": "2025-10-21",
  "title": "OpenEXR\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2025-24790\uff09"
}

CVE-2025-59732 (GCVE-0-2025-59732)

Vulnerability from cvelistv5

Published

2025-10-06 08:09

Modified

2025-10-19 14:52

Severity ?

8.7 (High) - CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

CWE

CWE-787 - Out-of-bounds Write

Summary

When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that the height and width are divisible by 8. If the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8. The buffer td->uncompressed_data is allocated in decode_block based on the precise height and width of the image, so the "rounded-up" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at [2] can corrupt following heap memory. We recommend upgrading to version 8.0 or beyond.

References

URL

Tags

https://issuetracker.google.com/436510316

Impacted products

	Vendor	Product	Version
	FFmpeg	FFmpeg	Version: 9a32b863074ed4140141e0d3613905c6f1fe61c5 < 8.0 Version: 7.1.1 ≤

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59732",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-07T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-08T03:55:12.275Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://git.ffmpeg.org/ffmpeg.git",
          "defaultStatus": "unaffected",
          "packageName": "EXR",
          "product": "FFmpeg",
          "repo": "https://git.ffmpeg.org/ffmpeg.git",
          "vendor": "FFmpeg",
          "versions": [
            {
              "lessThan": "8.0",
              "status": "affected",
              "version": "9a32b863074ed4140141e0d3613905c6f1fe61c5",
              "versionType": "custom"
            },
            {
              "lessThan": "8.0",
              "status": "affected",
              "version": "7.1.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Google Big Sleep"
        }
      ],
      "datePublic": "2025-08-04T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eWhen decoding an OpenEXR file that uses DWAA or DWAB compression, there\u0027s an implicit assumption that the height and width are divisible by 8.\u003c/p\u003e\u003cp\u003eIf the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8.\u003c/p\u003e\u003cp\u003eThe buffer \u003ccode\u003etd-\u0026gt;uncompressed_data\u003c/code\u003e\u0026nbsp;is allocated in \u003ccode\u003edecode_block\u003c/code\u003e\u0026nbsp;based on the precise height and width of the image, so the \"rounded-up\" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at [2] can corrupt following heap memory.\u003c/p\u003e\u003cp\u003e\u003c/p\u003eWe recommend upgrading to version 8.0 or beyond.\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "When decoding an OpenEXR file that uses DWAA or DWAB compression, there\u0027s an implicit assumption that the height and width are divisible by 8.\n\nIf the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8.\n\nThe buffer td-\u003euncompressed_data\u00a0is allocated in decode_block\u00a0based on the precise height and width of the image, so the \"rounded-up\" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at [2] can corrupt following heap memory.\n\n\n\nWe recommend upgrading to version 8.0 or beyond."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-19T14:52:36.920Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://issuetracker.google.com/436510316"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2025-59732",
    "datePublished": "2025-10-06T08:09:31.276Z",
    "dateReserved": "2025-09-19T08:11:37.550Z",
    "dateUpdated": "2025-10-19T14:52:36.920Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.