cbcvebase.
CVE-2025-57812
published 2025-11-12

CVE-2025-57812: CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library…

PriorityP417low3.7CVSS 3.1
AVAACHPRLUINSUCLILAN
EPSS
0.41%
33.0th percentile
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. In CUPS-Filters versions up to and including 1.28.17 and libscupsfilters versions 2.0.0 through 2.1.1, CUPS-Filters's `imagetoraster` filter has an out of bounds read/write vulnerability in the processing of TIFF image files. While the pixel buffer is allocated with the number of pixels times a pre-calculated bytes-per-pixel value, the function which processes these pixels is called with a size of the number of pixels times 3. When suitable inputs are passed, the bytes-per-pixel value can be set to 1 and bytes outside of the buffer bounds get processed. In order to trigger the bug, an attacker must issue a print job with a crafted TIFF file, and pass appropriate print job options to control the bytes-per-pixel value of the output format. They must choose a printer configuration under which the `imagetoraster` filter or its C-function equivalent `cfFilterImageToRaster()` gets invoked. The vulnerability exists in both CUPS-Filters 1.x and the successor library libcupsfilters (CUPS-Filters 2.x). In CUPS-Filters 2.x, the vulnerable function is `_cfImageReadTIFF() in libcupsfilters`. When this function is invoked as part of `cfFilterImageToRaster()`, the caller passes a look-up-table during whose processing the out of bounds memory access happens. In CUPS-Filters 1.x, the equivalent functions are all found in the cups-filters repository, which is not split into subprojects yet, and the vulnerable code is in `_cupsImageReadTIFF()`, which is called through `cupsImageOpen()` from the `imagetoraster` tool. A patch is available in commit b69dfacec7f176281782e2f7ac44f04bf9633cfa.

Affected

21 ranges
VendorProductVersion rangeFixed in
debiancups-filters< cups-filters 1.28.17-3+deb12u2 (bookworm)cups-filters 1.28.17-3+deb12u2 (bookworm)
debianlibcupsfilters< cups-filters 1.28.17-3+deb12u2 (bookworm)cups-filters 1.28.17-3+deb12u2 (bookworm)
linuxfoundationcups-filters>= 0 < 1.28.7-1+deb11u41.28.7-1+deb11u4
linuxfoundationcups-filters>= 0 < 1.28.17-3+deb12u21.28.17-3+deb12u2
linuxfoundationcups-filters>= 0 < 1.28.17-6+deb13u11.28.17-6+deb13u1
linuxfoundationcups-filters>= 0 < 1.28.17-71.28.17-7
linuxfoundationcups-filters>= 0 < 1.28.15-0ubuntu1.51.28.15-0ubuntu1.5
linuxfoundationcups-filters>= 0 < 2.0.0-0ubuntu4.12.0.0-0ubuntu4.1
linuxfoundationcups-filters>= 0 < 2.0.1-0ubuntu3.25.04.12.0.1-0ubuntu3.25.04.1
linuxfoundationcups-filters>= 0 < 2.0.1-0ubuntu3.25.10.12.0.1-0ubuntu3.25.10.1
linuxfoundationcups-filters>= 0 < 1.8.3-2ubuntu3.5+esm31.8.3-2ubuntu3.5+esm3
linuxfoundationcups-filters>= 0 < 1.20.2-0ubuntu3.3+esm21.20.2-0ubuntu3.3+esm2
linuxfoundationcups-filters>= 0 < 1.27.4-1ubuntu0.4+esm11.27.4-1ubuntu0.4+esm1
openprintingcups-filters< 1.28.171.28.17
openprintinglibcupsfilters
openprintinglibcupsfilters
openprintinglibcupsfilters>= 0 < 2.0.0-3+deb13u12.0.0-3+deb13u1
openprintinglibcupsfilters>= 0 < 2.1.1-22.1.1-2
openprintinglibcupsfilters>= 0 < 2.0.0-0ubuntu7.22.0.0-0ubuntu7.2
openprintinglibcupsfilters>= 0 < 2.1.1-0ubuntu3.12.1.1-0ubuntu3.1
openprintinglibcupsfilters>= 2.0.0 < 2.1.12.1.1

CVSS provenance

nvdv3.13.7LOWCVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
osv3.7LOW
vendor_debian3.7LOW
vendor_redhat3.7LOW
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.