CVE-2025-46399 identifies a NULL pointer dereference vulnerability within the fig2dev software, specifically in the genge_itp_spline function. Fig2dev is a component of the Xfig suite used for converting figure files into various formats. The vulnerability arises when local input data is manipulated to trigger a NULL pointer dereference, causing the application to crash and resulting in a denial of service condition. The CVSS 3.1 base score of 5.5 reflects a medium severity, with an attack vector limited to local access (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects integrity (I:H) but not confidentiality or availability, which is unusual given the description; this may indicate some data corruption or processing integrity issues during exploitation. No known exploits have been reported in the wild, and no patches or vendor advisories are currently available. The vulnerability is primarily a stability and availability concern for local users of fig2dev, potentially impacting workflows that rely on this tool for figure conversions.

The primary impact of CVE-2025-46399 is a denial of service through application crashes caused by local input manipulation. Organizations using fig2dev in their workflows may experience interruptions or failures in figure conversion processes, which could delay documentation, publishing, or other dependent tasks. Since exploitation requires local access and low privileges, the threat is mostly relevant in environments where multiple users share systems or where attackers have gained limited local access. There is no direct impact on confidentiality, but the integrity impact suggests potential data corruption or erroneous processing results, which could affect the accuracy of converted figures. The lack of remote exploitability limits the threat scope, but internal users or attackers with foothold could disrupt operations. The absence of patches increases risk until remediation is available.

To mitigate CVE-2025-46399, organizations should restrict local access to systems running fig2dev to trusted users only and monitor for unusual application crashes or errors related to figure conversion processes. Employing application whitelisting and limiting user privileges can reduce the risk of exploitation. Until a patch is released, consider isolating fig2dev usage to dedicated environments or containers to contain potential crashes. Review and validate input data to fig2dev where possible to detect malformed or malicious inputs. Additionally, maintain regular backups of critical data and conversion outputs to recover from potential disruptions. Stay alert for vendor advisories or patches and apply updates promptly once available.