CVE-2025-46400 identifies a NULL pointer dereference vulnerability in the xfig diagramming tool, specifically within the fig2dev utility's read_arcobject function. This flaw causes a segmentation fault when processing crafted local input, leading to a denial of service condition by crashing the application. The vulnerability requires local access to the system, high attack complexity, and user interaction to trigger, as an attacker must supply malicious input to fig2dev. The vulnerability does not impact confidentiality or integrity but affects availability by causing the application to crash. The CVSS 3.1 base score is 4.7 (medium), reflecting these characteristics. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. The affected product version is indicated as '0', which likely refers to an early or unspecified version of xfig. The vulnerability was published in April 2025 and assigned by Red Hat. This issue primarily affects local users or systems where fig2dev is run with untrusted input, such as in development or academic environments where xfig is used for diagram creation and conversion.

For European organizations, the primary impact is a potential denial of service on systems running xfig and fig2dev locally. This could disrupt workflows in academic, engineering, or software development environments relying on xfig for diagramming tasks. Since exploitation requires local access and user interaction, remote attacks are unlikely, limiting the threat to insider or compromised user scenarios. The vulnerability does not compromise data confidentiality or integrity, so data breaches or manipulation are not a concern. However, availability disruptions could cause productivity loss or delay in critical documentation or design processes. Organizations with automated pipelines invoking fig2dev on untrusted inputs could face service interruptions. The lack of known exploits reduces immediate risk but does not eliminate the need for vigilance.

Organizations should restrict local access to systems running xfig and fig2dev to trusted users only. Avoid processing untrusted or malformed input files with fig2dev. Implement input validation and sanitization where possible before feeding data into fig2dev. Monitor official xfig repositories and security advisories for patches or updates addressing this vulnerability and apply them promptly once available. Consider isolating or sandboxing the fig2dev utility to limit the impact of crashes. Educate users about the risks of opening or processing untrusted diagram files locally. For automated workflows, introduce checks to validate input files before processing. Maintain regular backups of critical work to mitigate productivity loss from potential crashes.