CVE-2025-53367 — Out-of-bounds Read in Djvulibre

CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write6 documents4 sources

Severity

8.4HIGHNVD

OSV6.5

EPSS

0.0%

top 94.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djvunet Djvulibre Djvulibre Project Djvulibre Debian Djvulibre

Timeline

PublishedJul 3

Latest updateFeb 23

Description

DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer. This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason. This issue has been patched in version …

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶debiandebian/djvulibre< djvulibre 3.5.28-2.1~deb12u1 (bookworm)

▶CVEListV5djvunet/djvulibre< 3.5.29

▶Debiandjvulibre_project/djvulibre< 3.5.28-2.2~deb11u1+3

▶Ubuntudjvulibre_project/djvulibre< 3.5.28-2ubuntu0.22.04.2+4

🔴Vulnerability Details

OSV

djvulibre vulnerabilities↗2026-02-23

▶

OSV

CVE-2025-53367: DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images↗2025-07-03

▶

📋Vendor Advisories

Ubuntu

DjVuLibre vulnerabilities↗2026-02-23

▶

Ubuntu

DjVuLibre vulnerability↗2025-07-09

▶

Debian

CVE-2025-53367: djvulibre - DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing...↗2025

▶