CVE-2025-55780

CVE-2025-55780

Name

CVE-2025-55780

Description

A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
cve@mitre.org	https://bugs.ghostscript.com/show_bug.cgi?id=708720
cve@mitre.org	https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5
cve@mitre.org	https://github.com/ISH2YU/CVE-2025-55780/tree/main

Type

URI

cve@mitre.org

https://bugs.ghostscript.com/show_bug.cgi?id=708720

cve@mitre.org

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5

cve@mitre.org

https://github.com/ISH2YU/CVE-2025-55780/tree/main

CPE URI	Source package	Min version	Max version
	n/a	== n/a	== n/a
`cpe:2.3:a:artifex:mupdf::::::::`	mupdf	>= 1.24.0	< 1.26.7

CPE URI

Source package

Min version

Max version

n/a

== n/a

cpe:2.3:a:artifex:mupdf:*:*:*:*:*:*:*:*

mupdf

>= 1.24.0

< 1.26.7

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
mupdf	edge-community	1.24.10-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.1-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.2-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.2-r1	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.3-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.4-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.5-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.6-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.6-r1	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.25.6-r2	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.26.2-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	edge-community	1.26.4-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	3.22-community	1.24.10-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable
mupdf	3.22-community	1.25.6-r1	Sören Tempel <soeren+alpine@soeren-tempel.net>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

mupdf

edge-community

1.24.10-r0

Sören Tempel <soeren+alpine@soeren-tempel.net>

possibly vulnerable

mupdf

edge-community