How to fix CVE-2025-64183?

Within 30 days: Identify affected systems running versions 3.2.0 and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Memory Corruption affected by CVE-2025-64183?

Organizations using versions 3.2.0 should be aware of moderate risk from CVE-2025-64183, a use-after-free vulnerability rated CVSS 5.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available.

CVE-2025-64183

EUVD-2025-50826 MEDIUM

2025-11-10 [email protected]

GHSA-57cw-j6vp-2p9m

5.5

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch Released

Apr 06, 2026 - 20:30 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 19:21 vuln.today

EUVD ID Assigned

Mar 28, 2026 - 19:21 euvd

EUVD-2025-50826

PoC Detected

Dec 08, 2025 - 16:00 vuln.today

Public exploit code

CVE Published

Nov 10, 2025 - 22:15 nvd

MEDIUM 5.5

Description

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue.

Analysis

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical Context

This vulnerability is classified as Use After Free (CWE-416), which allows attackers to access freed memory to execute arbitrary code or crash the application. OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.) Versions 3.2.5, 3.3.6, and 3.4.3 fix the issue. Affected products include: Openexr. Version information: through 3.2.4.

Affected Products

Openexr.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use smart pointers or garbage-collected languages. Set pointers to NULL after freeing. Enable memory sanitizers.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +28

POC: +20

Vendor Status

CVE-2025-64183 vulnerability details – vuln.today

Back

CVE-2025-64183

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-64183

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code