2397667 – (CVE-2025-55780) CVE-2025-55780 mupdf: MuPDF null pointer dereference

Bug 2397667 (CVE-2025-55780) - CVE-2025-55780 mupdf: MuPDF null pointer dereference

Summary: CVE-2025-55780 mupdf: MuPDF null pointer dereference

Keywords:
Status:	NEW
Alias:	CVE-2025-55780
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2397700 2397701 2397702 2397703
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-23 19:01 UTC by OSIDB Bzimport
Modified:	2025-09-24 08:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-23 19:01:18 UTC

A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain.

Comment 2 Michael J Gruber 2025-09-24 08:38:42 UTC

https://bugs.ghostscript.com/show_bug.cgi?id=708720

So, this is fixed in upstream/master (1.27.x). I'm backporting the fix to 1.26.9 which is the version coming to f44+f43 currently, and I'll have to see about released branches (backport further or update).

Note that I cannot verify the fix as the reproducer in the upstream bug is private. I'll go by upstream's verdict on this.

Note You need to log in before you can comment on or make changes to this bug.