CVE-2025-31163 is a vulnerability identified in the fig2dev utility, part of the xfig suite used for converting fig files into various graphical formats. The flaw is a null pointer dereference (CWE-476) occurring in the put_patternarc function, which handles pattern arcs in graphical rendering. When fig2dev processes crafted input locally, the function may attempt to dereference a null pointer, causing a segmentation fault and crashing the application. This results in a denial of service (DoS) condition affecting availability. The vulnerability affects version 3.2.9a of fig2dev and requires local access with low privileges (AV:L, PR:L) and no user interaction (UI:N). The CVSS v3.1 base score is 6.6, reflecting medium severity due to the high impact on availability but limited impact on confidentiality and integrity. The scope is unchanged (S:U), meaning the vulnerability affects only the local application instance. No patches or exploits are currently known, but the vulnerability has been publicly disclosed. The issue arises from improper handling of input data leading to dereferencing a null pointer, a common programming error that can be exploited to crash software. Given fig2dev’s role in graphical file conversions, the disruption could impact workflows relying on automated or manual use of this tool.

For European organizations, the primary impact is a denial of service on systems running fig2dev 3.2.9a locally. This could disrupt workflows in academic, research, or engineering environments where xfig is used for graphical conversions. While the vulnerability does not allow remote exploitation or privilege escalation, local users with low privileges could crash the application, potentially interrupting batch processing or automated pipelines. Confidentiality and integrity impacts are minimal, but availability interruptions could cause delays or require manual intervention. Organizations with strict uptime requirements or automated graphical processing may experience operational inefficiencies. Since exploitation requires local access, insider threats or compromised user accounts pose the main risk vectors. The absence of known exploits reduces immediate risk but patching is recommended to prevent future abuse.

1. Monitor for official patches or updates from the xfig project and apply them promptly once available. 2. Restrict local access to systems running fig2dev to trusted users only, minimizing the risk of malicious input. 3. Implement application whitelisting and user privilege restrictions to prevent unauthorized execution of fig2dev. 4. Use input validation or sandboxing techniques when processing fig files to detect or isolate malformed inputs. 5. Incorporate monitoring and alerting for unexpected crashes of fig2dev to enable rapid response. 6. For critical environments, consider replacing fig2dev with alternative tools that do not exhibit this vulnerability. 7. Educate users on safe handling of graphical files and the risks of processing untrusted inputs locally. 8. Maintain regular backups and recovery procedures to mitigate operational disruptions caused by DoS conditions.