CVE-2025-46400 is a vulnerability identified in the xfig diagramming tool, specifically within the fig2dev utility that converts xfig diagrams into various output formats. The issue arises from a NULL pointer dereference in the read_arcobject function, which processes arc objects in diagram files. When an attacker provides crafted input locally, this dereference leads to a segmentation fault, causing the application to crash and resulting in a denial of service condition. The vulnerability requires local access with low privileges (AV:L, PR:L) and does not require user interaction (UI:N). The scope is unchanged (S:U), and the impact affects integrity (I:H) but not confidentiality or availability directly, although the crash impacts availability indirectly. The CVSS 3.1 score of 5.5 reflects a medium severity due to the limited attack vector and requirement for local access. No known exploits are currently reported, and no patches have been linked, indicating this is a newly disclosed issue. The vulnerability primarily affects environments where xfig and fig2dev are used, often in academic, engineering, or open-source graphical documentation contexts.

For European organizations, the primary impact is a potential denial of service on systems running xfig and fig2dev locally. This could disrupt workflows involving diagram creation and conversion, particularly in engineering, academic, or research institutions where xfig remains in use. Since exploitation requires local access, the threat is mitigated by controlling user privileges and access to vulnerable systems. However, if exploited by a malicious insider or through compromised local accounts, it could interrupt critical documentation or design processes. The integrity impact is noted, but the main concern is availability due to application crashes. There is no indication of remote exploitation or data exfiltration, limiting the broader impact on confidentiality or system-wide integrity.

To mitigate this vulnerability, organizations should: 1) Restrict local access to systems running xfig and fig2dev to trusted users only, minimizing the risk of local input manipulation. 2) Monitor application logs and system stability for unexpected crashes related to fig2dev usage. 3) Implement strict user privilege management to prevent unauthorized local execution of fig2dev. 4) Once patches or updates become available from maintainers or distributions, apply them promptly. 5) Consider substituting xfig with alternative diagramming tools that do not exhibit this vulnerability, especially in critical environments. 6) Educate users about the risks of processing untrusted diagram files locally. 7) Employ application whitelisting and sandboxing where feasible to limit the impact of crashes and potential exploitation.