Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-64183
Good to know:
Date: November 10, 2025
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue.
Severity Score
Related Resources (4)
Severity Score
Weakness Type (CWE)
Use After Free
CWE-416Top Fix
Upgrade Version
Upgrade to version openexr - 3.2.5;openexr - 3.3.6;openexr - 3.4.3;openexr - 3.2.5;openexr - 3.3.6;openexr - 3.4.3;openexr - 3.4.3;https://github.com/AcademySoftwareFoundation/openexr.git - v3.2.5;https://github.com/AcademySoftwareFoundation/openexr.git - v3.3.6;https://github.com/AcademySoftwareFoundation/openexr.git - v3.4.3
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | LOCAL |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | NONE |
| Integrity (I): | NONE |
| Availability (A): | HIGH |