2413912 – (CVE-2025-64183) CVE-2025-64183 openexr: use after free in PyObject_StealAttrString

Bug 2413912 (CVE-2025-64183) - CVE-2025-64183 openexr: use after free in PyObject_StealAttrString

Summary: CVE-2025-64183 openexr: use after free in PyObject_StealAttrString

Keywords:
Status:	NEW
Alias:	CVE-2025-64183
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2417239 2417240 2417242 2417243 2417241 2417244
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-10 22:02 UTC by OSIDB Bzimport
Modified:	2025-12-01 12:48 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-10 22:02:15 UTC

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue.

Note You need to log in before you can comment on or make changes to this bug.