Xfig: fig2dev segmentation fault in read_arcobject
Description
A segmentation fault in fig2dev's read_arcobject function (xfig ≤3.2.9a) allows local attackers to cause a denial of service via a crafted FIG file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A segmentation fault in fig2dev's read_arcobject function (xfig ≤3.2.9a) allows local attackers to cause a denial of service via a crafted FIG file.
Vulnerability
The vulnerability exists in the read_arcobject function in read1_3.c of fig2dev, part of the xfig diagramming tool. In version 3.2.9a (and possibly earlier), processing a specially crafted FIG file results in a conditional jump depending on an uninitialised value, leading to a segmentation fault [1][2]. The affected code path is reachable when fig2dev parses arc objects from FIG input files.
Exploitation
An attacker with local system access can trigger the vulnerability by supplying a malicious FIG file to fig2dev. No authentication or elevated privileges are required. For example, running fig2dev -L pict2e ./poc with a crafted file causes the segmentation fault, as demonstrated by valgrind output showing uninitialised value usage in read_arcobject [2].
Impact
Successful exploitation causes fig2dev to crash via a segmentation fault, resulting in a denial of service (availability impact) for the user attempting to convert the FIG file. No evidence of code execution or information disclosure exists [1].
Mitigation
As of the publication date (2025-04-23), no fix has been released for version 3.2.9a. Users should avoid processing untrusted FIG files with fig2dev. Monitor for updates from the xfig project on SourceForge [2]; if a patch becomes available, upgrade immediately. The CVE is not listed in CISA KEV [3].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- osv-coords13 versionspkg:deb/ubuntu/fig2dev@1:3.2.6a-6ubuntu1.1?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/fig2dev@1:3.2.7a-7ubuntu0.1?arch=source&distro=focalpkg:deb/ubuntu/fig2dev@1:3.2.8b-1?arch=source&distro=jammypkg:deb/ubuntu/fig2dev@1:3.2.9-3build2?arch=source&distro=noblepkg:deb/ubuntu/fig2dev@1:3.2.9-4?arch=source&distro=oracularpkg:deb/ubuntu/fig2dev@1:3.2.9a-3?arch=source&distro=pluckypkg:rpm/opensuse/transfig&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/transfig&distro=openSUSE%20Tumbleweedpkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6pkg:rpm/suse/transfig&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP7
>= 0+ 12 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 3.2.9a-150600.3.5.1
- (no CPE)range: < 3.2.9a-3.1
- (no CPE)range: < 3.2.9a-150600.3.5.1
- (no CPE)range: < 3.2.9a-150600.3.5.1
- (no CPE)range: < 3.2.8b-2.26.1
- (no CPE)range: < 3.2.9a-150600.3.5.1
- (no CPE)range: < 3.2.9a-150600.3.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- access.redhat.com/security/cve/CVE-2025-46400mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
- sourceforge.net/p/mcj/tickets/187/mitre
News mentions
0No linked articles in our index yet.