2413902 – (CVE-2025-64181) CVE-2025-64181 openexr: Use of Uninitialized Memory inside generic_unpack

Bug 2413902 (CVE-2025-64181) - CVE-2025-64181 openexr: Use of Uninitialized Memory inside generic_unpack

Summary: CVE-2025-64181 openexr: Use of Uninitialized Memory inside generic_unpack

Keywords:
Status:	NEW
Alias:	CVE-2025-64181
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2418248 2418250 2418247 2418249 2418251 2418252
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-10 22:01 UTC by OSIDB Bzimport
Modified:	2025-12-02 05:57 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-10 22:01:34 UTC

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue.

Note You need to log in before you can comment on or make changes to this bug.