CVE-2025-7462 Overview
CVE-2025-7462 is a null pointer dereference vulnerability [CWE-404] in Artifex GhostPDL, the open-source page description language interpreter used for processing PostScript and PDF documents. The flaw resides in the pdf_ferror function within devices/vector/gdevpdf.c, specifically in the New Output File Open Error Handler component. When output file open operations fail, the error handler dereferences a null pointer, causing the process to crash. An attacker can trigger the condition remotely by supplying crafted input that forces the failure path, requiring user interaction to process the file. Affected builds include Artifex GhostPDL up to commit 3989415a5b8e99b9d1b87cc9902bde9b7cdea145.
Critical Impact
Remote attackers can crash GhostPDL-based document processing services, disrupting availability of PDF conversion, printing, and rendering pipelines that rely on Ghostscript.
Affected Products
- Artifex GhostPDL up to commit 3989415a5b8e99b9d1b87cc9902bde9b7cdea145
- Ghostscript distributions bundling the vulnerable gdevpdf.c output device
- Debian LTS packages tracking the affected Ghostscript versions
Discovery Timeline
- 2025-07-12 - CVE-2025-7462 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7462
Vulnerability Analysis
The vulnerability sits in the PDF output device implementation in devices/vector/gdevpdf.c. The pdf_ferror function is invoked when GhostPDL fails to open a new output file. Instead of validating the file stream pointer before checking its error state, the handler dereferences the pointer directly. When the pointer is null, typically because file allocation or opening failed earlier in the code path, the process terminates.
The issue is classified as an Improper Resource Shutdown or Release weakness [CWE-404]. GhostPDL is embedded in numerous document conversion pipelines, print servers, and file-preview services, making the crash reachable from any workflow that accepts user-supplied documents. Exploitation does not yield code execution or data disclosure, but it produces a reliable denial of service against services that process untrusted PDF or PostScript input.
Root Cause
The root cause is missing null-pointer validation in the output file open error handler. When the underlying file open operation returns an error and leaves the stream pointer uninitialized, pdf_ferror attempts to read the error flag from that pointer, triggering a segmentation fault.
Attack Vector
An attacker delivers a crafted document or triggers an output-file operation that fails, for example by targeting a path that GhostPDL cannot write. The failure routes execution to pdf_ferror, where the null dereference occurs. The attack requires user interaction, such as opening or converting the input file, but no authentication or elevated privileges.
Verified public exploit code is not available for CVE-2025-7462. Technical details are documented in the upstream fix at Ghostscript Commit Details and the Debian LTS Announcement.
Detection Methods for CVE-2025-7462
Indicators of Compromise
- Repeated crashes or segmentation faults in gs, gpdl, or Ghostscript-based worker processes handling PDF or PostScript input
- Core dumps referencing pdf_ferror or gdevpdf.c in the call stack
- Application logs showing failed output file open operations immediately preceding process termination
Detection Strategies
- Monitor process termination events on hosts running Ghostscript, print servers, and document conversion services for unexpected SIGSEGV signals
- Correlate document upload or conversion requests with subsequent worker process crashes to identify malicious inputs
- Inspect installed Ghostscript versions against the patched commit 619a106ba4c4abed95110f84d5efcd7aee38c7cb to identify vulnerable systems
Monitoring Recommendations
- Enable verbose logging in document processing pipelines to capture the input filename and output path preceding each crash
- Track EPSS scoring and vendor advisories for changes in exploitation likelihood
- Alert on abnormal restart rates of Ghostscript worker services, which may indicate repeated exploitation attempts
How to Mitigate CVE-2025-7462
Immediate Actions Required
- Apply the upstream Ghostscript patch identified by commit 619a106ba4c4abed95110f84d5efcd7aee38c7cb
- Update to a distribution package that incorporates the fix, such as the Ghostscript update from the Debian LTS advisory
- Restrict Ghostscript execution to sandboxed workers so that crashes do not affect parent services
Patch Information
Artifex resolved the issue in the GhostPDL repository via commit 619a106ba4c4abed95110f84d5efcd7aee38c7cb, which adds null-pointer validation to the pdf_ferror error path. Debian published a corresponding LTS update in October 2025. Administrators should upgrade to a Ghostscript build that includes this commit and restart any long-running services that link against the library.
Workarounds
- Validate output directories and file paths before invoking Ghostscript to reduce the frequency of failed open operations that reach pdf_ferror
- Run Ghostscript with resource limits and automatic restart policies so a crash does not degrade upstream services
- Reject untrusted PDF and PostScript uploads at the application boundary until patched packages are deployed
# Verify installed Ghostscript version and apply distribution updates
gs --version
# Debian/Ubuntu: apply the LTS security update
sudo apt update && sudo apt install --only-upgrade ghostscript
# Confirm the patched commit is present in a source build
cd ghostpdl && git log --oneline | grep 619a106ba4c4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

