CVE-2025-46400 is a vulnerability identified in the xfig diagramming tool, specifically within the fig2dev utility that converts xfig files to other formats. The issue arises from a NULL pointer dereference in the read_arcobject function, which processes arc objects in diagrams. When malformed or manipulated input is provided locally, the function attempts to dereference a NULL pointer, causing a segmentation fault and crashing the process. This results in a denial of service condition, impacting availability but not confidentiality or integrity. The vulnerability requires local access with low privileges (AV:L, PR:L) and does not require user interaction (UI:N). The CVSS 3.1 score is 5.5, indicating a medium severity level. The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component without affecting other system components. No known exploits have been reported in the wild, and no patches or fixes have been linked at the time of publication. The vulnerability primarily affects users who run fig2dev locally, which is common in environments where xfig is used for diagram creation and conversion, such as academic, engineering, and open-source software development contexts.

The primary impact of CVE-2025-46400 is a denial of service through application crash, which can disrupt workflows relying on xfig and fig2dev for diagram processing. Organizations using these tools locally may experience interruptions or loss of productivity if an attacker or user triggers the fault with crafted input. Since exploitation requires local access, the risk is limited to insider threats or compromised user accounts. There is no direct impact on confidentiality or integrity, and no remote exploitation vector is known, reducing the risk of widespread automated attacks. However, in environments where xfig is integrated into automated pipelines or used by multiple users, this vulnerability could cause service interruptions or delays. The lack of patches increases the window of exposure until a fix is released. Overall, the impact is moderate but should not be ignored in environments dependent on xfig tools.

To mitigate CVE-2025-46400, organizations should first restrict local access to systems running xfig and fig2dev to trusted users only, minimizing the risk of malicious input. Implement strict user privilege management to prevent untrusted users from executing fig2dev. Monitor and audit usage of xfig tools to detect abnormal or unexpected input files that could trigger the vulnerability. Until a patch is available, consider isolating the fig2dev process in a sandbox or container to limit the impact of crashes on the broader system. Review and sanitize input files before processing to avoid malformed arc objects. Stay informed about vendor updates or community patches addressing this issue and apply them promptly once available. Additionally, incorporate this vulnerability into local vulnerability management and incident response plans to ensure rapid detection and remediation.