CVE-2025-64503
📋 TL;DR
CVE-2025-64503 is an integer overflow vulnerability in cups-filters' pdftoraster tool that can lead to out-of-bounds memory writes when processing malicious PDF files with large MediaBox values. This affects systems using CUPS printing services on non-macOS operating systems. The vulnerability could potentially lead to denial of service or arbitrary code execution.
💻 Affected Systems
- cups-filters
- libcupsfilters
📦 What is this software?
Cups Filters by Openprinting
Libcupsfilters by Openprinting
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if the out-of-bounds write can be controlled to execute arbitrary code.
Likely Case
Denial of service through application crash or instability in the printing service.
If Mitigated
Limited impact with proper network segmentation and PDF file validation in place.
🎯 Exploit Status
Exploitation requires crafting a malicious PDF file with specific MediaBox values and getting it processed through the vulnerable pdftoraster filter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.28.18
Vendor Advisory: https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-893j-2wr2-wrh9
Restart Required: Yes
Instructions:
1. Update cups-filters to version 1.28.18 or later using your distribution's package manager. 2. Restart CUPS service: sudo systemctl restart cups. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable PDF processing
linuxConfigure CUPS to not use pdftoraster filter for PDF processing
sudo mv /usr/lib/cups/filter/pdftoraster /usr/lib/cups/filter/pdftoraster.disabled
Restrict PDF file uploads
allImplement file validation to reject PDFs with suspicious MediaBox dimensions
🧯 If You Can't Patch
- Implement network segmentation to isolate print servers from untrusted networks
- Deploy application allowlisting to prevent execution of malicious PDF files
🔍 How to Verify
Check if Vulnerable:
Check cups-filters version: rpm -q cups-filters (RHEL/CentOS/Fedora) or dpkg -l cups-filters (Debian/Ubuntu)Check Version:
cups-config --version || rpm -q cups-filters || dpkg -l cups-filtersVerify Fix Applied:
Verify version is 1.28.18 or higher and check that the patch commit 50d94ca0f2fa6177613c97c59791bde568631865 is included📡 Detection & Monitoring
Log Indicators:
- CUPS error logs showing pdftoraster crashes
- System logs with segmentation faults in cups-filters processes
Network Indicators:
- Unusual PDF file uploads to print servers
- Multiple failed print jobs with PDF files
SIEM Query:
source="cups" AND (error OR crash OR segmentation) AND pdftoraster🔗 References
- https://github.com/OpenPrinting/cups-filters/blob/aea8d0db017e495b0204433ebdb0e86b4871094c/filter/pdftoraster.cxx#L1620
- https://github.com/OpenPrinting/cups-filters/blob/aea8d0db017e495b0204433ebdb0e86b4871094c/filter/pdftoraster.cxx#L1880
- https://github.com/OpenPrinting/cups-filters/commit/50d94ca0f2fa6177613c97c59791bde568631865
- https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-893j-2wr2-wrh9
- https://github.com/OpenPrinting/libcupsfilters/blob/1dd86d835b27ed149b66aee1a4853d1db8a1f44c/cupsfilters/pdftoraster.cxx#L1790
- http://www.openwall.com/lists/oss-security/2025/11/12/2
