CVE-2025-64503 is an out-of-bounds write vulnerability classified under CWE-787, found in the cups-filters package, which provides essential backends and filters for the CUPS printing system on operating systems other than macOS. The vulnerability is triggered by processing a maliciously crafted PDF file containing a MediaBox with an excessively large width value. This large value causes the variable header.cupsWidth to become very large. Subsequently, the calculation for bytesPerLine, which is computed as (header.cupsBitsPerPixel * header.cupsWidth + 7) / 8, suffers from an integer overflow, resulting in a smaller-than-expected bytesPerLine value. This incorrect calculation leads to the allocation of a buffer lineBuf that is too small. Later, the function convertLineChunked calls writePixel8, which writes data beyond the allocated buffer size, causing an out-of-bounds write. This memory corruption can lead to crashes or undefined behavior, primarily resulting in denial of service. The libcupsfilters library also contains a similar multiplication without overflow checks, but the provided test case does not cause an overflow there due to differing values. The vulnerability affects cups-filters versions prior to 1.28.18 and libcupsfilters versions from 2.0.0 up to but not including 2.1.2. The issue was patched in commit 50d94ca0f2fa6177613c97c59791bde568631865 and incorporated into cups-filters 1.28.18. The CVSS v3.1 base score is 4.0, reflecting a low complexity local attack vector with no privileges or user interaction required, and an impact limited to availability. No known exploits are reported in the wild as of the publication date.

For European organizations, the primary impact of CVE-2025-64503 is the potential disruption of printing services due to denial of service caused by crashes in the cups-filters pdftoraster tool. Organizations relying on Linux or Unix-based systems with vulnerable versions of cups-filters or libcupsfilters may experience service outages or degraded printing functionality. This can affect business operations, especially in sectors with high printing demands such as government agencies, financial institutions, healthcare providers, and manufacturing. Although the vulnerability does not compromise confidentiality or integrity, the availability impact can hinder workflows and productivity. Additionally, environments with automated document processing pipelines that convert PDFs to raster images may be vulnerable to crashes triggered by malicious PDF files. Since exploitation requires local access, the threat is more relevant in environments where untrusted users have access to submit print jobs or where print servers are exposed to internal networks with less stringent access controls. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for timely patching to prevent future attacks or accidental crashes from malformed documents.

European organizations should implement the following specific mitigation measures: 1) Upgrade cups-filters to version 1.28.18 or later and libcupsfilters to version 2.1.2 or later, where the vulnerability is patched. 2) Restrict access to print servers and printing services to trusted users only, minimizing the risk of malicious PDF submissions. 3) Implement input validation or filtering on PDF files submitted for printing, potentially using sandboxed environments to analyze documents before processing. 4) Monitor printing service logs and system stability for signs of crashes or abnormal behavior indicative of exploitation attempts. 5) Employ application-level sandboxing or containerization for the cups-filters processes to limit the impact of potential memory corruption. 6) Regularly audit and update printing infrastructure components as part of vulnerability management programs. 7) Educate IT staff and users about the risks of processing untrusted PDF files and enforce policies to avoid printing documents from unknown sources. These targeted steps go beyond generic advice by focusing on controlling access, validating inputs, and isolating vulnerable components.