CVE-2025-55780 | THREATINT

Description

A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain.

PUBLISHED Reserved 2025-08-16 | Published 2025-09-23 | Updated 2025-09-25 | Assigner mitre

References

bugs.ghostscript.com/show_bug.cgi?id=708720

github.com/ISH2YU/CVE-2025-55780/tree/main

cgit.ghostscript.com/...d241748807378a78a622388e0312332513c5

cve.org (CVE-2025-55780)

nvd.nist.gov (CVE-2025-55780)

Download JSON