CVE-2025-48072 is a medium-severity vulnerability identified in the AcademySoftwareFoundation's openexr library, specifically affecting versions 3.3.2 up to but not including 3.3.3. OpenEXR is a widely used open-source image file format and reference implementation primarily utilized in the motion picture industry for high dynamic range imaging. The vulnerability is classified as CWE-125, an out-of-bounds read, which in this case manifests as a heap-based buffer overflow during the decompression of DWAA-packed scan-line EXR files. The root cause is improper pointer arithmetic when handling maliciously crafted chunks within these files. This flaw can lead to memory corruption, potentially causing application crashes or enabling an attacker to execute arbitrary code or leak sensitive information. Exploitation requires the victim to process a specially crafted EXR file, implying user interaction is necessary. The CVSS v4.0 score is 6.8, reflecting a medium severity with local attack vector, low attack complexity, no privileges required, but user interaction needed. The vulnerability does not require authentication and affects confidentiality and availability with high impact, but no integrity impact. No known exploits are reported in the wild as of the publication date. The issue is resolved in version 3.3.3 of openexr.

For European organizations, especially those involved in media production, visual effects, animation, and post-production industries, this vulnerability poses a tangible risk. OpenEXR is a standard format in these sectors, and compromised processing of EXR files could lead to denial of service, data leakage, or remote code execution within production pipelines or rendering farms. This could disrupt critical workflows, cause financial losses, and damage reputations. Additionally, organizations that integrate openexr into their proprietary tools or pipelines may inadvertently expose themselves to this risk. Given the local attack vector and requirement for user interaction, the threat is more pronounced in environments where untrusted EXR files are imported or processed without adequate validation. The high impact on confidentiality and availability could lead to exposure of sensitive visual assets or interruption of production services, which are critical in competitive media markets across Europe.

European organizations should promptly upgrade all openexr deployments to version 3.3.3 or later to remediate this vulnerability. Where immediate patching is not feasible, implement strict validation and sanitization of EXR files before processing, including sandboxing the decompression routines to limit potential damage from malicious files. Employ application whitelisting and restrict the acceptance of EXR files from untrusted sources. Integrate file integrity checks and scanning for malformed EXR files using specialized security tools. Additionally, monitor logs for crashes or abnormal behavior in applications handling EXR files, which may indicate exploitation attempts. For organizations developing proprietary tools using openexr, ensure dependencies are updated and conduct thorough code reviews focusing on memory handling during image decompression. Finally, raise user awareness about the risks of opening untrusted EXR files to reduce the likelihood of user-initiated exploitation.