Artifex Ghostscript

Int Overflow in Artifex Ghostscript 10.05.1 OCR Module Heap Buffer Overflow
CVE-2025-59800 4.3 - Medium - September 22, 2025

In Artifex Ghostscript through 10.05.1, ocr_begin_page in devices/gdevpdfocr.c has an integer overflow that leads to a heap-based buffer overflow in ocr_line8.

Integer Overflow or Wraparound

Artifex Ghostscript 10.05.1 Stack Overflow via pdfmark_coerce_dest
CVE-2025-59799 4.3 - Medium - September 22, 2025

Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdfmark_coerce_dest in devices/vector/gdevpdfm.c via a large size value.

Stack Overflow

Artifex Ghostscript 10.05.1 Stack Buffer Overflow CVE-2025-59798
CVE-2025-59798 4.3 - Medium - September 22, 2025

Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdf_write_cmap in devices/vector/gdevpdtw.c.

Stack Overflow

Artifex GhostPDL Remote DoS via NULL PTR Deref in pdf_ferror
CVE-2025-7462 4.3 - Medium - July 12, 2025

A vulnerability was found in Artifex GhostPDL up to 3989415a5b8e99b9d1b87cc9902bde9b7cdea145. It has been classified as problematic. This affects the function pdf_ferror of the file devices/vector/gdevpdf.c of the component New Output File Open Error Handler. The manipulation leads to null pointer dereference. It is possible to initiate the attack remotely. The identifier of the patch is 619a106ba4c4abed95110f84d5efcd7aee38c7cb. It is recommended to apply a patch to fix this issue.

NULL Pointer Dereference

Ghostscript Pre-10.05.1 Cleartext Password Leak via Unsanitized # Argument
CVE-2025-48708 3.3 - Low - May 23, 2025

gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext.

Improper Removal of Sensitive Information Before Storage or Transfer

Ghostscript <10.05.0 Overlong UTF-8 Decode, gp_utf8.c
CVE-2025-46646 - April 26, 2025

In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding. NOTE: this issue exists because of an incomplete fix for CVE-2024-46954.

Ghostscript <10.05 Buffer Overflow in DollarBlend Font Serialization
CVE-2025-27830 7.8 - High - March 25, 2025

An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs during serialization of DollarBlend in a font, for base/write_t1.c and psi/zfapi.c.

Classic Buffer Overflow

Text Buffer Overflow in Artifex Ghostscript DOCXWRITE TXTWRITE Device <10.05.0
CVE-2025-27831 9.8 - Critical - March 25, 2025

An issue was discovered in Artifex Ghostscript before 10.05.0. The DOCXWRITE TXTWRITE device has a text buffer overflow via long characters to devices/vector/doc_common.c.

Classic Buffer Overflow

Ghostscript 10.05.0 NPDL Device Compression Buffer Overflow
CVE-2025-27832 9.8 - Critical - March 25, 2025

An issue was discovered in Artifex Ghostscript before 10.05.0. The NPDL device has a Compression buffer overflow for contrib/japanese/gdevnpdl.c.

Classic Buffer Overflow

Artifex Ghostscript <10.05.0 Buffer Overflow via TTF Font Name in pdf/pdf_fmap.c
CVE-2025-27833 - March 25, 2025

An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs for a long TTF font name to pdf/pdf_fmap.c.

Ghostscript <10.05.0 buf ovf via oversized Type 4 PDF func
CVE-2025-27834 - March 25, 2025

An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs via an oversized Type 4 function in a PDF document to pdf/pdf_func.c.

Ghostscript <10.05.0 Buffer Overflow in psi/zbfont.c Unicode Glyph Conversion
CVE-2025-27835 7.8 - High - March 25, 2025

An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs when converting glyphs to Unicode in psi/zbfont.c.

Classic Buffer Overflow

Ghostscript Buffer Overflow CVE-2025-27836 (BJ10V) before 10.05.0
CVE-2025-27836 9.8 - Critical - March 25, 2025

An issue was discovered in Artifex Ghostscript before 10.05.0. The BJ10V device has a Print buffer overflow in contrib/japanese/gdev10v.c.

Classic Buffer Overflow

Ghostscript <=10.05.0 LFI via Invalid UTF-8 in winrtsup.cpp
CVE-2025-27837 - March 25, 2025

An issue was discovered in Artifex Ghostscript before 10.05.0. Access to arbitrary files can occur through a truncated path with invalid UTF-8 characters, for base/gp_mswin.c and base/winrtsup.cpp.

Ghostscript PDF XRef Buffer Overflow
CVE-2024-46952 7.8 - High - November 10, 2024

An issue was discovered in pdf/pdf_xref.c in Artifex Ghostscript before 10.04.0. There is a buffer overflow during handling of a PDF XRef stream (related to W array values).

Classic Buffer Overflow

Ghostscript 10.03 Path Traversal Overflow
CVE-2024-46953 7.8 - High - November 10, 2024

An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution.

Integer Overflow or Wraparound

Ghostscript 10.03.1 UTF-8 Traversal Flaw
CVE-2024-46954 7.8 - High - November 10, 2024

An issue was discovered in decode_utf8 in base/gp_utf8.c in Artifex Ghostscript before 10.04.0. Overlong UTF-8 encoding leads to possible ../ directory traversal.

Directory traversal

Ghostscript 10.03 Indexed Color OOB Read
CVE-2024-46955 5.5 - Medium - November 10, 2024

An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. There is an out-of-bounds read when reading color in Indexed color space.

Out-of-bounds Read

Ghostscript 10.03 Out-of-Bounds Access
CVE-2024-46956 7.8 - High - November 10, 2024

An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution.

Out-of-bounds Read

Ghostscript 10.03 Pattern Color Space RCE
CVE-2024-46951 7.8 - High - November 10, 2024

An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. An unchecked Implementation pointer in Pattern color space could lead to arbitrary code execution.

Access of Uninitialized Pointer

Ghostscript <10.03.0 Stack BOverflow via CIDFSubstPath & CIDFSubstFont
CVE-2024-29507 - July 03, 2024

Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters.

Artifex Ghostscript before 10.03.1 memory corruption via format string (uniprint)
CVE-2024-29510 - July 03, 2024

Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.

Ghostscript <=10.03.1 Tesseract OCR Directory Traversal
CVE-2024-29511 - July 03, 2024

Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd.

Artifex Ghostscript <10.03.1: Path Traversal & Command Exec
CVE-2024-33869 - July 03, 2024

An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename.

Ghostscript <=10.03.1 Path Traversal via Crafting PS Docs
CVE-2024-33870 - July 03, 2024

An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted.

Arbitrary Code Exec in Artifex Ghostscript <10.03.1 via Driver Lib
CVE-2024-33871 - July 03, 2024

An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded.

Artifex Ghostscript 10.03.0 Heap-Based Pointer Disclosure in pdf_base_font_alloc
CVE-2024-29508 3.3 - Low - July 03, 2024

Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc.

Heap Overflow in Ghostscript <=10.03.0 via PDFPassword with NUL
CVE-2024-29509 8.8 - High - July 03, 2024

Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle.

Memory Corruption

Ghostscript 10.03 Buffer Overflow via long PDF Filter name
CVE-2024-29506 8.8 - High - July 03, 2024

Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name.

Memory Corruption

Ghostscript <10.03.1: eexec Seed Bypass in SAFER Mode (psi/zmisc1.c)
CVE-2023-52722 - April 28, 2024

An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard.

Artifex Ghostscript <9.53.0 OOB Write/UA-Free in txtwrite
CVE-2020-36773 9.8 - Critical - February 04, 2024

Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).

Memory Corruption

Ghostscript <10.02.0 DoS via dangling pointer in gdev_prn_open_printer_seekable
CVE-2023-46751 7.5 - High - December 06, 2023

An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.

Dangling pointer

RCE via IJS device in Ghostscript <=10.01.2 (gdevijs.c)
CVE-2023-43115 8.8 - High - September 18, 2023

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).

Ghostscript CVE-2023-4042: Unpatched Bug in RHGA Package
CVE-2023-4042 5.5 - Medium - August 23, 2023

A flaw was found in ghostscript. The fix for CVE-2020-16305 in ghostscript was not included in RHSA-2021:1852-06 advisory as it was claimed to be. This issue only affects the ghostscript package as shipped with Red Hat Enterprise Linux 8.

Out-of-bounds Read

GhostScript 9.50: divide-by-zero in eps_print_page causes DoS
CVE-2020-21710 5.5 - Medium - August 22, 2023

A divide by zero issue discovered in eps_print_page in gdevepsn.c in Artifex Software GhostScript 9.50 allows remote attackers to cause a denial of service via opening of crafted PDF file.

Divide By Zero

Ghostscript 9.50 gdevclj Buffer Overflow (clj_media_size)
CVE-2020-21890 7.8 - High - August 22, 2023

Buffer Overflow vulnerability in clj_media_size function in devices/gdevclj.c in Artifex Ghostscript 9.50 allows remote attackers to cause a denial of service or other unspecified impact(s) via opening of crafted PDF document.

Memory Corruption

Ghostscript Devn PCX RLE Buffer Overflow Enables Local DoS
CVE-2023-38559 5.5 - Medium - August 01, 2023

A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.

Out-of-bounds Read

Int Overflow in Ghostscript pl_glyph_name leads to local DoS
CVE-2023-38560 5.5 - Medium - August 01, 2023

An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format.

Integer Overflow or Wraparound

Ghostscript 10.01.2 Pipe Permission Bypass CVE-2023-36664
CVE-2023-36664 7.8 - High - June 25, 2023

Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).

Ghostscript <=10.01.0 Buffer Overflow in BCP/TBCP Encode/Decode
CVE-2023-28879 9.8 - Critical - March 31, 2023

In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.

Memory Corruption

GhostScript Heap Overflow in lp8000_print_page()
CVE-2020-27792 7.1 - High - August 19, 2022

A heap-based buffer overwrite vulnerability was found in GhostScript's lp8000_print_page() function in the gdevlp8k.c file. This flaw allows an attacker to trick a user into opening a crafted PDF file, triggering the heap buffer overflow that could lead to memory corruption or a denial of service.

Buffer Overflow

A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory
CVE-2022-2085 5.5 - Medium - June 16, 2022

A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an init_device_procs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, mem_x_device is used and does not have an init_device_procs defined. This flaw allows an attacker to parse a large number of bits (more than 64 bits per pixel), which triggers a NULL pointer dereference flaw, causing an application to crash.

NULL Pointer Dereference

Artifex Ghostscript through 9.26 mishandles .completefont
CVE-2019-25059 - April 25, 2022

Artifex Ghostscript through 9.26 mishandles .completefont. NOTE: this issue exists because of an incomplete fix for CVE-2019-3839.

A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command
CVE-2021-3781 9.9 - Critical - February 16, 2022

A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Shell injection

Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampled_data_sample (called
CVE-2021-45944 5.5 - Medium - January 01, 2022

Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampled_data_sample (called from sampled_data_continue and interp).

Dangling pointer

Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called
CVE-2021-45949 5.5 - Medium - January 01, 2022

Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp).

Memory Corruption

A null pointer dereference vulnerability in compose_group_nonknockout_nonblend_isolated_allmask_common() in base/gxblend.c of Artifex Software GhostScript v9.50
CVE-2020-16293 - August 13, 2020

A null pointer dereference vulnerability in compose_group_nonknockout_nonblend_isolated_allmask_common() in base/gxblend.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.

A buffer overflow vulnerability in FloydSteinbergDitheringC() in contrib/gdevbjca.c of Artifex Software GhostScript v9.18 to v9.50
CVE-2020-16297 5.5 - Medium - August 13, 2020

A buffer overflow vulnerability in FloydSteinbergDitheringC() in contrib/gdevbjca.c of Artifex Software GhostScript v9.18 to v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.

Memory Corruption

A buffer overflow vulnerability in epsc_print_page() in devices/gdevepsc.c of Artifex Software GhostScript v9.50
CVE-2020-16294 - August 13, 2020

A buffer overflow vulnerability in epsc_print_page() in devices/gdevepsc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.

A null pointer dereference vulnerability in clj_media_size() in devices/gdevclj.c of Artifex Software GhostScript v9.50
CVE-2020-16295 - August 13, 2020

A null pointer dereference vulnerability in clj_media_size() in devices/gdevclj.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.