GHSA-3H9H-QFVW-98HQ

Vulnerability from github – Published: 2026-04-06 17:51 – Updated: 2026-04-06 17:51
VLAI?
Summary
OpenEXR Makes Use of Uninitialized Memory
Details

Summary

While fuzzing openexr_exrcheck_fuzzer, Valgrind reports a conditional branch depending on uninitialized data inside generic_unpack. This indicates a use of uninitialized memory (CWE-457). The issue is reproducible with the current OSS-Fuzz harness and a single-file PoC.

Details

Environment: - Tooling: valgrind --tool=memcheck --track-origins=yes - Target: openexr_exrcheck_fuzzer - OS: Ubuntu 20.04.6 LTS focal x86_64 - openexr version and Git-commit hash: openexr 3.4.2 | commit fd657e8a41e157e5841c7cc2e2a5efe094b069a1 (grafted, HEAD -> main, origin/main, origin/HEAD)

Function: generic_unpack

Possible root cause (based on observed symptoms): The unpacker is branching on bytes in a scratch buffer that were never written because the decode step didn’t fully populate it. - The first use flagged is in generic_unpack(). That function reads from the decompressed/expanded pixel buffer to scatter data into the framebuffer. A “conditional jump depends on uninitialised value(s)” means it’s consulting bytes in that buffer before they were written. - Valgrind says the uninitialised value “was created by a heap allocation (malloc)”, not the stack: this matches a per-tile/per-scanline decode scratch buffer allocated in exr_decoding_run().

Valgrind Trace (top frames):

==454== Conditional jump or move depends on uninitialised value(s)
==454==    at 0x4539BE: generic_unpack (in /out/openexr_exrcheck_fuzzer)
==454==    by 0x44B85F: exr_decoding_run (in /out/openexr_exrcheck_fuzzer)
==454==    by 0x38BC5F: Imf_4_0::(anonymous namespace)::TileProcess::run_decode(_priv_exr_context_t const*, int, Imf_4_0::FrameBuffer const*, std::__1::vector<Imf_4_0::Slice, std::__1::allocator<Imf_4_0::Slice> > const&) (in /out/openexr_exrcheck_fuzzer)
==454==    by 0x388BE1: Imf_4_0::TiledInputFile::Data::readTiles(int, int, int, int, int, int) (in /out/openexr_exrcheck_fuzzer)
==454==    by 0x388619: Imf_4_0::TiledInputFile::readTiles(int, int, int, int, int, int) (in /out/openexr_exrcheck_fuzzer)
==454==    by 0x353755: Imf_4_0::InputFile::Data::bufferedReadPixels(int, int) (in /out/openexr_exrcheck_fuzzer)
==454==    by 0x352286: Imf_4_0::InputFile::readPixels(int) (in /out/openexr_exrcheck_fuzzer)
==454==    by 0x3190FA: Imf_4_0::(anonymous namespace)::readMultiPart(Imf_4_0::MultiPartInputFile&, bool, bool) (in /out/openexr_exrcheck_fuzzer)
==454==    by 0x314C4D: Imf_4_0::checkOpenEXRFile(char const*, unsigned long, bool, bool, bool) (in /out/openexr_exrcheck_fuzzer)
==454==  Uninitialised value was created by a heap allocation at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)

PoC

In the attached archive, you will find: - The executable used for our tests. - The testcase used to trigger the bug.

To observe the bug, simply run the OSS-Fuzz helper script:

git clone https://github.com/google/oss-fuzz.git
cd oss-fuzz

python3 infra/helper.py build_image openexr
python3 infra/helper.py build_fuzzers --sanitizer=none openexr
python3 infra/helper.py shell openexr

apt update && apt install -y valgrind
ulimit -n 65535
valgrind --tool=memcheck --track-origins=yes /out/openexr_exrcheck_fuzzer /path/to/poc

Impact

  • Undefined Behavior
  • Potential crash
  • Denial of Service

Credit: Aldo Ristori archive0.zip

Update Note:

Other saved testcases from the fuzzing campaign trigger the same underlying bug, but with a different manifestation. So there is one root cause (missing post-decode validation / zero-init before any unpack), with different call-sites. Below there are several archives, formatted like the previous one, that reproduce the other test cases.

Other observed sinks (distinct manifestations of the same bug):

Deep pointers path: generic_unpack_deep_pointers (deep scanline/tiled) archive1.zip

Deep sample table path: unpack_sample_table (deep scanline) archive2.zip

Half conversion path: half_to_float_buffer_f16c via unpack_half_to_float_3chan_planar archive3.zip

Deep compositing: CompositeDeepScanLine::readPixels → ThreadPool::addTask → LineCompositeTask::execute archive4.zip

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2.0 (Low)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "OpenEXR"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "OpenEXR"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-06T17:51:11Z",
    "nvd_published_at": "2025-11-10T22:15:36Z",
    "severity": "LOW"
  },
  "details": "### Summary\nWhile fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory (CWE-457). The issue is reproducible with the current OSS-Fuzz harness and a single-file PoC.\n\n### Details\n\n**Environment:**\n- Tooling: `valgrind --tool=memcheck --track-origins=yes`\n- Target: `openexr_exrcheck_fuzzer`\n- OS: Ubuntu 20.04.6 LTS focal x86_64\n- openexr version and Git-commit hash: ` openexr 3.4.2 | commit fd657e8a41e157e5841c7cc2e2a5efe094b069a1 (grafted, HEAD -\u003e main, origin/main, origin/HEAD)`\n\nFunction: `generic_unpack`\n\nPossible root cause (based on observed symptoms):\nThe unpacker is branching on bytes in a scratch buffer that were never written because the decode step didn\u2019t fully populate it.\n- The first use flagged is in `generic_unpack()`. That function reads from the decompressed/expanded pixel buffer to scatter data into the framebuffer. A \u201cconditional jump depends on uninitialised value(s)\u201d means it\u2019s consulting bytes in that buffer before they were written.\n- Valgrind says the uninitialised value \u201cwas created by a heap allocation (malloc)\u201d, not the stack: this matches a per-tile/per-scanline decode scratch buffer allocated in `exr_decoding_run()`.\n\n**Valgrind Trace (top frames):**\n```bash\n==454== Conditional jump or move depends on uninitialised value(s)\n==454==    at 0x4539BE: generic_unpack (in /out/openexr_exrcheck_fuzzer)\n==454==    by 0x44B85F: exr_decoding_run (in /out/openexr_exrcheck_fuzzer)\n==454==    by 0x38BC5F: Imf_4_0::(anonymous namespace)::TileProcess::run_decode(_priv_exr_context_t const*, int, Imf_4_0::FrameBuffer const*, std::__1::vector\u003cImf_4_0::Slice, std::__1::allocator\u003cImf_4_0::Slice\u003e \u003e const\u0026) (in /out/openexr_exrcheck_fuzzer)\n==454==    by 0x388BE1: Imf_4_0::TiledInputFile::Data::readTiles(int, int, int, int, int, int) (in /out/openexr_exrcheck_fuzzer)\n==454==    by 0x388619: Imf_4_0::TiledInputFile::readTiles(int, int, int, int, int, int) (in /out/openexr_exrcheck_fuzzer)\n==454==    by 0x353755: Imf_4_0::InputFile::Data::bufferedReadPixels(int, int) (in /out/openexr_exrcheck_fuzzer)\n==454==    by 0x352286: Imf_4_0::InputFile::readPixels(int) (in /out/openexr_exrcheck_fuzzer)\n==454==    by 0x3190FA: Imf_4_0::(anonymous namespace)::readMultiPart(Imf_4_0::MultiPartInputFile\u0026, bool, bool) (in /out/openexr_exrcheck_fuzzer)\n==454==    by 0x314C4D: Imf_4_0::checkOpenEXRFile(char const*, unsigned long, bool, bool, bool) (in /out/openexr_exrcheck_fuzzer)\n==454==  Uninitialised value was created by a heap allocation at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)\n```\n\n### PoC\nIn the attached archive, you will find:\n- The executable used for our tests.\n- The testcase used to trigger the bug.\n\nTo observe the bug, simply run the OSS-Fuzz helper script:\n```bash\ngit clone https://github.com/google/oss-fuzz.git\ncd oss-fuzz\n\npython3 infra/helper.py build_image openexr\npython3 infra/helper.py build_fuzzers --sanitizer=none openexr\npython3 infra/helper.py shell openexr\n\napt update \u0026\u0026 apt install -y valgrind\nulimit -n 65535\nvalgrind --tool=memcheck --track-origins=yes /out/openexr_exrcheck_fuzzer /path/to/poc\n```\n\n### Impact\n- Undefined Behavior\n- Potential crash\n- Denial of Service\n\n**Credit:** Aldo Ristori\n[archive0.zip](https://github.com/user-attachments/files/23024726/archive0.zip)\n\n\n\n### Update Note:\nOther saved testcases from the fuzzing campaign trigger the same underlying bug, but with a different manifestation. So there is one root cause (missing post-decode validation / zero-init before any unpack), with different call-sites. Below there are several archives, formatted like the previous one, that reproduce the other test cases.\n\n**Other observed sinks (distinct manifestations of the same bug):**\n\n**Deep pointers path:**\ngeneric_unpack_deep_pointers (deep scanline/tiled)\n[archive1.zip](https://github.com/user-attachments/files/23024736/archive1.zip)\n\n\n**Deep sample table path:**\nunpack_sample_table (deep scanline)\n[archive2.zip](https://github.com/user-attachments/files/23024740/archive2.zip)\n\n\n**Half conversion path:**\nhalf_to_float_buffer_f16c via unpack_half_to_float_3chan_planar\n[archive3.zip](https://github.com/user-attachments/files/23024744/archive3.zip)\n\n\n**Deep compositing:**\nCompositeDeepScanLine::readPixels \u2192 ThreadPool::addTask \u2192 LineCompositeTask::execute\n[archive4.zip](https://github.com/user-attachments/files/23024746/archive4.zip)",
  "id": "GHSA-3h9h-qfvw-98hq",
  "modified": "2026-04-06T17:51:11Z",
  "published": "2026-04-06T17:51:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3h9h-qfvw-98hq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64181"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AcademySoftwareFoundation/openexr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/23024726/archive0.zip"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/23024736/archive1.zip"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/23024740/archive2.zip"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/23024744/archive3.zip"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/23024746/archive4.zip"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenEXR Makes Use of Uninitialized Memory"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.