CVE-2025-1268
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2Tags
Description
Out-of-bounds vulnerability in EMF Recode processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver / Generic FAX Printer Driver / UFRII LT Printer Driver / CARPS2 Printer Driver / PDF Driver / LIPS4 Printer Driver / LIPSLX Printer Driver / UFR II Printer Driver / PS Printer Driver / PCL6 Printer Driver
Analysis
An out-of-bounds write vulnerability exists in the EMF Recode processing functionality of multiple Canon printer drivers, allowing remote attackers to execute arbitrary code or crash the system without authentication. The vulnerability affects a wide range of Canon's Generic Plus and standard printer drivers (PCL6, UFR II, LIPS4, LIPSLX, PS, FAX, CARPS2, and PDF drivers) and has a critical CVSS score of 9.4. With an EPSS score of 0.44% (63rd percentile), the vulnerability shows moderate real-world exploitation likelihood, though no active exploitation or public proof-of-concept has been reported.
Technical Context
The vulnerability stems from improper bounds checking during Enhanced Metafile (EMF) recode processing in Canon's printer driver software, classified as CWE-787 (Out-of-bounds Write). EMF is a Windows graphics format commonly used in print spooling operations, where print jobs are converted and processed before being sent to the printer. When the affected drivers process specially crafted EMF data, they fail to properly validate memory boundaries, leading to memory corruption that can overwrite critical data structures. This affects the entire suite of Canon's modern printer drivers including their Generic Plus series and standard drivers across multiple printing languages and protocols (PCL6, PostScript, LIPS4, LIPSLX, UFR II).
Affected Products
Canon has confirmed that multiple printer driver families are affected by this vulnerability, including Generic Plus PCL6 Printer Driver, Generic Plus UFR II Printer Driver, Generic Plus LIPS4 Printer Driver, Generic Plus LIPSLX Printer Driver, Generic Plus PS Printer Driver, Generic FAX Printer Driver, UFRII LT Printer Driver, CARPS2 Printer Driver, PDF Driver, LIPS4 Printer Driver, LIPSLX Printer Driver, UFR II Printer Driver, PS Printer Driver, and PCL6 Printer Driver. Specific version information is not provided in the available intelligence, but Canon has published security advisories detailing affected models and versions at https://psirt.canon/advisory-information/cp2025-003/ for global customers, https://canon.jp/support/support-info/250328vulnerability-response for Japanese customers, and https://www.usa.canon.com/about-us/to-our-customers/service-notice-vulnerability-remediation-for-certain-printer-drivers-for-production-printers-office-small-office-multifunction-printers-and-laser-printers for US customers.
Remediation
Canon has released updated printer drivers that address this vulnerability, and users should immediately update all affected Canon printer drivers to the latest versions available from Canon's support sites. The primary remediation is to download and install the patched drivers from Canon's regional support portals: https://www.usa.canon.com/about-us/to-our-customers/service-notice-vulnerability-remediation-for-certain-printer-drivers-for-production-printers-office-small-office-multifunction-printers-and-laser-printers for US customers, https://www.canon-europe.com/support/product-security/ for European customers, or https://canon.jp/support/support-info/250328vulnerability-response for Japanese customers. Until patching is complete, organizations should restrict network access to print servers and printers to trusted IP ranges only, disable remote printing capabilities where not required, and monitor for unusual print job submissions containing EMF data.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today