CVE-2025-7698
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
2Description
Out-of-bounds read vulnerabilities in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver / UFRII LT Printer Driver / CARPS2 Printer Driver / Generic FAX Driver / LIPS4 Printer Driver / LIPSLX Printer Driver / UFR II Printer Driver / PS Printer Driver / PCL6 Printer Driver
Analysis
Out-of-bounds read vulnerabilities exist in the print processing functionality of multiple Canon printer driver families, including Generic Plus PCL6, UFR II, LIPS4, LIPSLX, PS, PCL6, CARPS2, and related variants. These vulnerabilities allow remote attackers to read sensitive memory contents (information disclosure) and potentially cause application crashes, requiring user interaction (opening a malicious print job) to trigger. With an EPSS score of 0.05% and no evidence of active exploitation in the wild, this represents a low real-world risk despite moderate CVSS scoring.
Technical Context
The vulnerabilities stem from CWE-125 (out-of-bounds read) errors in the print processing subsystems across Canon's printer driver ecosystem. These drivers handle multiple page description languages (PCL6, UFR II, LIPS4, LIPSLX, PostScript) and translate them into printer-specific commands. The root cause involves insufficient bounds checking when parsing print job data structures, allowing an attacker to supply a crafted print file that causes the driver to read past allocated buffer boundaries. This is a classic memory safety issue where the driver fails to validate buffer offsets before memory access operations during print job interpretation.
Affected Products
Multiple Canon printer driver families are affected, including Generic Plus PCL6, Generic Plus UFR II, Generic Plus LIPS4, Generic Plus LIPSLX, Generic Plus PS, UFRII LT, CARPS2, Generic FAX, LIPS4, LIPSLX, UFR II, PS, and PCL6 Printer Drivers. Specific version ranges are not detailed in available CVE data, but Canon's official advisory (CP2025-005) at https://psirt.canon/advisory-information/cp2025-005/ provides complete affected version lists. Affected product scope includes drivers for production printers, office/small office multifunction printers, and laser printers. The vulnerability advisory from Canon USA is available at https://www.usa.canon.com/about-us/to-our-customers/cp2025-005-vulnerabilities-remediation-for-certain-printer-drivers-for-production-printers-office-small-office-multifunction-printers-laser-printers and European support information at https://www.canon-europe.com/support/product-security/.
Remediation
Immediately apply vendor-supplied patches from Canon's CP2025-005 advisory (https://psirt.canon/advisory-information/cp2025-005/) which provides fixed driver versions for all affected product families. Download and deploy the patched drivers corresponding to your specific printer models and operating systems from Canon's support portal (https://canon.jp/support/support-info/250925vulnerability-response). Until patching is complete, restrict print job submissions to trusted internal sources only, disable network printing where feasible, and educate users not to open suspicious print files from untrusted sources. Organizations should prioritize patching production printer drivers first, as these are typically shared network resources with higher exposure.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today