CVE-2025-55780 is a vulnerability identified in MuPDF version 1.26.4, specifically within the function break_word_for_overflow_wrap() which is responsible for handling text rendering when processing EPUB documents. The vulnerability arises due to a null pointer dereference caused by insufficient validation of node pointers during the splitting of FLOW_WORD nodes. The function break_word_for_overflow_wrap() calls fz_html_split_flow() to split a FLOW_WORD node, but it does not verify whether node->next is valid before accessing node->next->overflow_wrap. If the split operation fails or returns a partial node chain, node->next can be null, leading to a dereference of a null pointer and causing the application to crash. This crash is a denial-of-service (DoS) condition triggered by rendering a malformed EPUB document. Since MuPDF is a lightweight PDF and document viewer widely used in various applications and embedded systems for rendering PDF, EPUB, and other document formats, this vulnerability could be exploited by an attacker who crafts a malicious EPUB file and convinces a user or system to open it with a vulnerable MuPDF version. The vulnerability does not appear to allow code execution or data leakage but can disrupt service availability by crashing the rendering process. No known exploits are reported in the wild as of the publication date, and no patch or fixed version information is currently available. The vulnerability was reserved and published in August and September 2025 respectively, indicating it is a recent discovery.

For European organizations, the primary impact of CVE-2025-55780 is the potential for denial-of-service conditions in any systems or applications that utilize MuPDF 1.26.4 to render EPUB documents. This could affect document management systems, e-book readers, digital libraries, and any embedded devices or software that rely on MuPDF for document rendering. The disruption could lead to service outages, reduced productivity, and potential operational delays, especially in sectors that handle large volumes of digital documents such as publishing, education, government, and legal services. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact could be significant if exploited in automated workflows or critical document processing pipelines. Additionally, if attackers use malformed EPUB files as vectors in phishing or social engineering campaigns, this could increase the risk of broader security incidents. European organizations with strict uptime and availability requirements, such as financial institutions or healthcare providers, may face compliance and reputational risks if service disruptions occur.

To mitigate this vulnerability, European organizations should first identify all instances where MuPDF 1.26.4 or similar vulnerable versions are used, including embedded systems and third-party applications. Until an official patch is released, organizations should consider the following specific actions: 1) Implement input validation and filtering to block or quarantine EPUB files from untrusted sources before they reach vulnerable MuPDF instances. 2) Employ sandboxing or containerization for applications that render EPUB documents to isolate crashes and prevent broader system impact. 3) Monitor application logs and crash reports for signs of null pointer dereference events related to document rendering. 4) Where possible, disable EPUB rendering features or replace MuPDF with alternative document rendering libraries that are not affected. 5) Educate users and administrators about the risks of opening EPUB files from unknown or untrusted sources. 6) Maintain an active vulnerability management process to apply patches promptly once available from MuPDF developers. 7) Consider deploying web or email gateway filters that detect and block malicious EPUB attachments. These targeted mitigations go beyond generic advice by focusing on controlling the input vector (malformed EPUB files), isolating vulnerable components, and enhancing detection capabilities.