Alpine: multiple openexr packages: security update to 3.4.2-r0

high Tenable Self-Hosted Container Security Plugin ID 436235

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- OpenEXR provides the specification and reference implementation of the EXR file format, an image storage
format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer
overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a
maliciously forged chunk header. This is fixed in version 3.3.3. (CVE-2025-48071)

- OpenEXR provides the specification and reference implementation of the EXR file format, an image storage
format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during
a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a
maliciously forged chunk. This is fixed in version 3.3.3. (CVE-2025-48072)

- OpenEXR provides the specification and reference implementation of the EXR file format, an image storage
format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large
sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer
dereference in a write operation. This is fixed in version 3.3.3. (CVE-2025-48073)

- OpenEXR provides the specification and reference implementation of the EXR file format, an image storage
format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size
values from file headers, which can lead to excessive memory allocation and performance degradation when
processing malicious files. This is fixed in version 3.3.3. (CVE-2025-48074)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-48071

https://security.alpinelinux.org/vuln/CVE-2025-48072

https://security.alpinelinux.org/vuln/CVE-2025-48073

https://security.alpinelinux.org/vuln/CVE-2025-48074

Plugin Details

Severity: High

ID: 436235

Version: Revision 1.2

Type: Local

Published: 12/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2025-48072

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.4

Threat Score: 7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-48071

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/31/2025

Reference Information

CVE: CVE-2025-48071, CVE-2025-48072, CVE-2025-48073, CVE-2025-48074