CVE-2025-27835 Overview
CVE-2025-27835 is a buffer overflow vulnerability in Artifex Ghostscript versions prior to 10.05.0. The flaw resides in psi/zbfont.c, where glyph-to-Unicode conversion fails to enforce proper bounds. Attackers can trigger the overflow by supplying a crafted PostScript or PDF document that the victim processes with Ghostscript. Successful exploitation can corrupt memory, enabling arbitrary code execution in the context of the Ghostscript process.
Ghostscript is embedded in many document processing pipelines, including print servers, PDF converters, and image rendering tools. This broad deployment increases the practical attack surface for malicious document delivery.
Critical Impact
A crafted font in a PostScript or PDF file can overflow a buffer in psi/zbfont.c, leading to memory corruption and potential local code execution with the privileges of the rendering process.
Affected Products
- Artifex Ghostscript versions before 10.05.0
- Downstream Linux distributions packaging Ghostscript (including Debian LTS)
- Applications and services that embed Ghostscript for PostScript or PDF rendering
Discovery Timeline
- 2025-03-25 - CVE-2025-27835 published to the National Vulnerability Database (NVD)
- 2025-04 - Debian LTS security advisory issued for Ghostscript packages
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-27835
Vulnerability Analysis
The vulnerability is a classic buffer overflow [CWE-120] in Ghostscript's PostScript interpreter. The defect lives in the glyph-to-Unicode conversion logic inside psi/zbfont.c. When Ghostscript processes a font definition, it builds a Unicode mapping for each glyph. The routine writes glyph data into a destination buffer without correctly validating the size of the input against the destination capacity.
An attacker crafts a font with glyph or character name entries that exceed the expected length. When Ghostscript parses the font during document rendering, the oversized data overruns the buffer. The overflow corrupts adjacent memory structures on the heap or stack, depending on the allocation path.
Because Ghostscript runs as a trusted document interpreter, exploitation does not require elevated privileges from the attacker. User interaction is required: the victim must open or process a malicious document. Many server-side workflows (print spoolers, PDF preview generators) process untrusted documents automatically, removing the user interaction barrier in practice.
Root Cause
The root cause is missing bounds enforcement when copying glyph name data into a fixed-size buffer during Unicode resolution. The function trusts input length values supplied by the parsed font rather than clamping them to the destination buffer size.
Attack Vector
The attack vector is local. An attacker delivers a malicious PostScript, EPS, or PDF file to a target system that processes the file with a vulnerable Ghostscript build. Delivery methods include email attachments, web downloads, and automated document conversion services that ingest user-supplied input.
The Ghostscript bug tracker entry Ghostscript Bug Report #708131 contains the upstream technical discussion and patch reference.
Detection Methods for CVE-2025-27835
Indicators of Compromise
- Ghostscript processes (gs, gsc) crashing or terminating unexpectedly while rendering PostScript or PDF documents
- Core dumps from gs referencing addresses inside zbfont.c or font-handling routines
- Unexpected child processes spawned by Ghostscript, such as shells or network utilities
- Document conversion or print spooler services exhibiting abnormal memory consumption or restart loops
Detection Strategies
- Inventory all hosts running Ghostscript and compare installed versions against 10.05.0 or later
- Inspect PostScript and PDF files for malformed CharStrings or oversized glyph name entries before processing
- Monitor process execution chains where Ghostscript spawns non-rendering child processes
- Correlate document ingestion events with subsequent crashes or memory errors in security telemetry
Monitoring Recommendations
- Enable verbose logging on document conversion pipelines and forward logs to a centralized analytics platform
- Alert on repeated gs process crashes from a single source or document type
- Track outbound network connections originating from accounts that run Ghostscript-based services
- Audit access to print servers and PDF preview services that handle untrusted user uploads
How to Mitigate CVE-2025-27835
Immediate Actions Required
- Upgrade Artifex Ghostscript to version 10.05.0 or later on all systems
- Apply distribution-specific updates, including the fix referenced in the Debian LTS Announcement
- Restrict Ghostscript processing of untrusted documents until patching is complete
- Run Ghostscript under a low-privilege service account with filesystem and network restrictions
Patch Information
Artifex resolved the buffer overflow in Ghostscript 10.05.0. The upstream fix is tracked in Ghostscript Bug Report #708131. Debian and other downstream maintainers have released backported packages for supported LTS releases.
Workarounds
- Disable automatic Ghostscript-based document conversion for untrusted sources until the patch is deployed
- Sandbox Ghostscript execution using seccomp, AppArmor, or SELinux profiles to limit process capabilities
- Use the -dSAFER command-line flag to restrict file and operator access during interpretation
- Pre-filter incoming documents with size and structural validation before passing them to Ghostscript
# Configuration example
# Verify installed Ghostscript version
gs --version
# Debian/Ubuntu: apply security updates
sudo apt-get update && sudo apt-get install --only-upgrade ghostscript
# Invoke Ghostscript with restricted operations
gs -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite \
-sOutputFile=out.pdf input.ps
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
