CVE-2023-5841

OpenEXR Heap Overflow in Scanline Deep Data Parsing

Published: 2/1/2024 Last updated: 5/15/2025 Reserved: 10/29/2023

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.

CNA assigner: AHA (26969f82-7e87-44d8-9cb5-f6fb926ddd43) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	9.1	Critical	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Opam packages affected (1)

conf-openimageio

Products affected (1)

Product	Vendor	Version
OpenEXR	Academy Software Foundation	10 Version 1607 for x64-based Systems

References (6)

https://takeonme.org/cves/CVE-2023-5841.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSB6DB5LAKGPLRXEF5HDNGUMT7GIFT2C/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWMINVKQLSUHECXBSQMZFCSDRIHFOJJI/
https://takeonme.org/cves/CVE-2023-5841.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSB6DB5LAKGPLRXEF5HDNGUMT7GIFT2C/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWMINVKQLSUHECXBSQMZFCSDRIHFOJJI/

Credits (3)

1 zenofex
1 WanderingGlitch
4 Austin Hackers Anonymous!