CVE-2025-46397
📋 TL;DR
A buffer overflow vulnerability in xfig's bezier_spline function allows local attackers to execute arbitrary code by manipulating input. This affects systems running vulnerable versions of xfig, primarily impacting users who process untrusted local files with the software.
💻 Affected Systems
- xfig
📦 What is this software?
Fig2dev by Fig2dev Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges if exploited by a local attacker, leading to data theft, persistence, or lateral movement.
Likely Case
Local privilege escalation or arbitrary code execution in the context of the user running xfig, potentially compromising user data and system integrity.
If Mitigated
Limited impact if proper access controls restrict local user privileges and file processing from untrusted sources.
🎯 Exploit Status
Exploitation requires local access and user interaction with crafted input; buffer overflow (CWE-120) suggests potential for reliable exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched versions referenced in Red Hat advisories RHSA-2026:0700, RHSA-2026:0704, RHSA-2026:0705, RHSA-2026:0756
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-46397
Restart Required: No
Instructions:
1. Check your Linux distribution's package manager for available updates. 2. For Red Hat systems, apply relevant RHSA patches using 'yum update' or 'dnf update'. 3. Verify the update installs a patched version of xfig.
🔧 Temporary Workarounds
Restrict xfig usage
linuxLimit execution of xfig to trusted users and avoid processing untrusted local files.
chmod 750 /usr/bin/xfig
setfacl -m u:trusted_user:rx /usr/bin/xfig
🧯 If You Can't Patch
- Remove or disable xfig if not required for operations.
- Implement strict file integrity monitoring and user activity logging for xfig executions.
🔍 How to Verify
Check if Vulnerable:
Check xfig version and compare against patched versions in Red Hat advisories; if unpatched and local file processing occurs, assume vulnerable.Check Version:
xfig --version 2>&1 | head -1Verify Fix Applied:
Confirm xfig has been updated to a version that includes the patches from RHSA-2026:0700+ advisories.📡 Detection & Monitoring
Log Indicators:
- Unusual process executions or crashes of xfig, especially with suspicious file inputs.
Network Indicators:
- Not applicable - this is a local vulnerability.
SIEM Query:
Process creation where image='xfig' AND command_line CONTAINS suspicious file patterns🔗 References
- https://access.redhat.com/errata/RHSA-2026:0700
- https://access.redhat.com/errata/RHSA-2026:0704
- https://access.redhat.com/errata/RHSA-2026:0705
- https://access.redhat.com/errata/RHSA-2026:0756
- https://access.redhat.com/security/cve/CVE-2025-46397
- https://bugzilla.redhat.com/show_bug.cgi?id=2362058
- https://sourceforge.net/p/mcj/tickets/192/
- https://lists.debian.org/debian-lts-announce/2025/04/msg00043.html
