Skip to main content

HP CVE-2025-7698

MEDIUM
Out-of-bounds Read (CWE-125)
2025-09-29 f98c90f0-e9bd-4fa7-911b-51993f3571fd
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Mar 16, 2026 - 14:30 vuln.today
CVE Published
Sep 29, 2025 - 01:15 nvd
MEDIUM 5.9

DescriptionCVE.org

Out-of-bounds read vulnerabilities in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver / UFRII LT Printer Driver / CARPS2 Printer Driver / Generic FAX Driver / LIPS4 Printer Driver / LIPSLX Printer Driver / UFR II Printer Driver / PS Printer Driver / PCL6 Printer Driver

AnalysisAI

Out-of-bounds read vulnerabilities exist in the print processing functionality of multiple Canon printer driver families, including Generic Plus PCL6, UFR II, LIPS4, LIPSLX, PS, PCL6, CARPS2, and related variants. These vulnerabilities allow remote attackers to read sensitive memory contents (information disclosure) and potentially cause application crashes, requiring user interaction (opening a malicious print job) to trigger. With an EPSS score of 0.05% and no evidence of active exploitation in the wild, this represents a low real-world risk despite moderate CVSS scoring.

Technical ContextAI

The vulnerabilities stem from CWE-125 (out-of-bounds read) errors in the print processing subsystems across Canon's printer driver ecosystem. These drivers handle multiple page description languages (PCL6, UFR II, LIPS4, LIPSLX, PostScript) and translate them into printer-specific commands. The root cause involves insufficient bounds checking when parsing print job data structures, allowing an attacker to supply a crafted print file that causes the driver to read past allocated buffer boundaries. This is a classic memory safety issue where the driver fails to validate buffer offsets before memory access operations during print job interpretation.

Affected ProductsAI

Multiple Canon printer driver families are affected, including Generic Plus PCL6, Generic Plus UFR II, Generic Plus LIPS4, Generic Plus LIPSLX, Generic Plus PS, UFRII LT, CARPS2, Generic FAX, LIPS4, LIPSLX, UFR II, PS, and PCL6 Printer Drivers. Specific version ranges are not detailed in available CVE data, but Canon's official advisory (CP2025-005) at https://psirt.canon/advisory-information/cp2025-005/ provides complete affected version lists. Affected product scope includes drivers for production printers, office/small office multifunction printers, and laser printers. The vulnerability advisory from Canon USA is available at https://www.usa.canon.com/about-us/to-our-customers/cp2025-005-vulnerabilities-remediation-for-certain-printer-drivers-for-production-printers-office-small-office-multifunction-printers-laser-printers and European support information at https://www.canon-europe.com/support/product-security/.

RemediationAI

Immediately apply vendor-supplied patches from Canon's CP2025-005 advisory (https://psirt.canon/advisory-information/cp2025-005/) which provides fixed driver versions for all affected product families. Download and deploy the patched drivers corresponding to your specific printer models and operating systems from Canon's support portal (https://canon.jp/support/support-info/250925vulnerability-response). Until patching is complete, restrict print job submissions to trusted internal sources only, disable network printing where feasible, and educate users not to open suspicious print files from untrusted sources. Organizations should prioritize patching production printer drivers first, as these are typically shared network resources with higher exposure.

More in HP

View all
CVE-2017-3881 CRITICAL POC
9.8 Mar 17

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software co

CVE-2013-4810 CRITICAL POC
9.8 Sep 16

HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle

CVE-2014-2623 CRITICAL POC
10.0 Jul 18

Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown

CVE-2013-6221 CRITICAL POC
10.0 Jun 18

Directory traversal vulnerability in CommunicationServlet in HP Service Virtualization 3.x before 3.50.1, when the AutoP

CVE-2013-2367 CRITICAL POC
10.0 Jul 31

Multiple unspecified vulnerabilities in HP SiteScope 11.20 and 11.21, when SOAP is used, allow remote attackers to execu

CVE-2013-4811 CRITICAL POC
10.0 Sep 16

UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4

CVE-2013-4798 CRITICAL POC
10.0 Jul 29

Unspecified vulnerability in HP LoadRunner before 11.52 allows remote attackers to execute arbitrary code via unknown ve

CVE-2012-2020 CRITICAL POC
10.0 Jul 11

Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via u

CVE-2013-2333 CRITICAL POC
10.0 Jun 06

Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.00, and 7.01 allows remote attackers to execute arb

CVE-2014-2624 CRITICAL POC
10.0 Sep 11

Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute ar

CVE-2013-6194 CRITICAL POC
10.0 Jan 04

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a

CVE-2013-2347 CRITICAL POC
10.0 Jan 04

The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary

Share

CVE-2025-7698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy