CVE-2025-59733

Name of the Vulnerable Software and Affected Versions OpenEXR versions prior to 8.0

Description An issue exists in decoding OpenEXR files that use DWAA or DWAB compression. The software makes an assumption that all image channels have the same pixel type and size, specifically expecting "B", "G", "R", and "A" channels when four channels are present. The dwa uncompress function calculates buffer sizes based on this assumption. If main color channels are set to a 4-byte type and additional channels of a 2-byte type are added, the calculation can result in exceeding the allocated buffer, potentially leading to issues. The vulnerable code is located in the decode header and dwa uncompress functions, and involves the td->uncompressed data buffer.

Recommendations Upgrade to version 8.0 or beyond.