Artifex Ghostscript
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Artifex Ghostscript.
Known Exploited Artifex Ghostscript Vulnerabilities
The following Artifex Ghostscript vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Artifex Ghostscript Type Confusion Vulnerability |
Artifex Ghostscript allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile. CVE-2017-8291 Exploit Probability: 92.5% |
May 24, 2022 |
The vulnerability CVE-2017-8291: Artifex Ghostscript Type Confusion Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
By the Year
In 2025 there have been 10 vulnerabilities in Artifex Ghostscript with an average score of 3.3 out of ten. Last year, in 2024 Ghostscript had 17 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Ghostscript in 2025 could surpass last years number. Last year, the average CVE base score was greater by 4.22
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 10 | 3.30 |
| 2024 | 17 | 7.52 |
| 2023 | 9 | 7.08 |
| 2022 | 6 | 6.88 |
| 2021 | 0 | 0.00 |
| 2020 | 26 | 5.75 |
| 2019 | 10 | 7.41 |
| 2018 | 27 | 7.53 |
It may take a day or so for new Ghostscript vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Artifex Ghostscript Security Vulnerabilities
gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case
CVE-2025-48708
3.3 - Low
- May 23, 2025
gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext.
Improper Removal of Sensitive Information Before Storage or Transfer
In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding
CVE-2025-46646
- April 26, 2025
In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding. NOTE: this issue exists because of an incomplete fix for CVE-2024-46954.
An issue was discovered in Artifex Ghostscript before 10.05.0
CVE-2025-27830
- March 25, 2025
An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs during serialization of DollarBlend in a font, for base/write_t1.c and psi/zfapi.c.
An issue was discovered in Artifex Ghostscript before 10.05.0
CVE-2025-27831
- March 25, 2025
An issue was discovered in Artifex Ghostscript before 10.05.0. The DOCXWRITE TXTWRITE device has a text buffer overflow via long characters to devices/vector/doc_common.c.
An issue was discovered in Artifex Ghostscript before 10.05.0
CVE-2025-27832
- March 25, 2025
An issue was discovered in Artifex Ghostscript before 10.05.0. The NPDL device has a Compression buffer overflow for contrib/japanese/gdevnpdl.c.
An issue was discovered in Artifex Ghostscript before 10.05.0
CVE-2025-27833
- March 25, 2025
An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs for a long TTF font name to pdf/pdf_fmap.c.
An issue was discovered in Artifex Ghostscript before 10.05.0
CVE-2025-27834
- March 25, 2025
An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs via an oversized Type 4 function in a PDF document to pdf/pdf_func.c.
An issue was discovered in Artifex Ghostscript before 10.05.0
CVE-2025-27835
- March 25, 2025
An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs when converting glyphs to Unicode in psi/zbfont.c.
An issue was discovered in Artifex Ghostscript before 10.05.0
CVE-2025-27836
- March 25, 2025
An issue was discovered in Artifex Ghostscript before 10.05.0. The BJ10V device has a Print buffer overflow in contrib/japanese/gdev10v.c.
An issue was discovered in Artifex Ghostscript before 10.05.0
CVE-2025-27837
- March 25, 2025
An issue was discovered in Artifex Ghostscript before 10.05.0. Access to arbitrary files can occur through a truncated path with invalid UTF-8 characters, for base/gp_mswin.c and base/winrtsup.cpp.
Ghostscript PDF XRef Buffer Overflow
CVE-2024-46952
7.8 - High
- November 10, 2024
An issue was discovered in pdf/pdf_xref.c in Artifex Ghostscript before 10.04.0. There is a buffer overflow during handling of a PDF XRef stream (related to W array values).
Classic Buffer Overflow
Ghostscript 10.03 Path Traversal Overflow
CVE-2024-46953
7.8 - High
- November 10, 2024
An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution.
Integer Overflow or Wraparound
Ghostscript 10.03.1 UTF-8 Traversal Flaw
CVE-2024-46954
7.8 - High
- November 10, 2024
An issue was discovered in decode_utf8 in base/gp_utf8.c in Artifex Ghostscript before 10.04.0. Overlong UTF-8 encoding leads to possible ../ directory traversal.
Directory traversal
Ghostscript 10.03 Indexed Color OOB Read
CVE-2024-46955
5.5 - Medium
- November 10, 2024
An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. There is an out-of-bounds read when reading color in Indexed color space.
Out-of-bounds Read
Ghostscript 10.03 Out-of-Bounds Access
CVE-2024-46956
7.8 - High
- November 10, 2024
An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution.
Out-of-bounds Read
Ghostscript 10.03 Pattern Color Space RCE
CVE-2024-46951
7.8 - High
- November 10, 2024
An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. An unchecked Implementation pointer in Pattern color space could lead to arbitrary code execution.
Access of Uninitialized Pointer
Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow
CVE-2024-29507
- July 03, 2024
Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters.
Artifex Ghostscript before 10.03.1
CVE-2024-29510
- July 03, 2024
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.
Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue
CVE-2024-29511
- July 03, 2024
Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd.
An issue was discovered in Artifex Ghostscript before 10.03.1
CVE-2024-33869
- July 03, 2024
An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename.
An issue was discovered in Artifex Ghostscript before 10.03.1
CVE-2024-33870
- July 03, 2024
An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted.
An issue was discovered in Artifex Ghostscript before 10.03.1
CVE-2024-33871
- July 03, 2024
An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded.
Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function
CVE-2024-29506
8.8 - High
- July 03, 2024
Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name.
Memory Corruption
Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc.
CVE-2024-29508
3.3 - Low
- July 03, 2024
Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc.
Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g
CVE-2024-29509
8.8 - High
- July 03, 2024
Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle.
Memory Corruption
An issue was discovered in Artifex Ghostscript before 10.03.1
CVE-2023-52722
- April 28, 2024
An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard.
Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite)
CVE-2020-36773
9.8 - Critical
- February 04, 2024
Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).
Memory Corruption
An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0
CVE-2023-46751
7.5 - High
- December 06, 2023
An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.
Dangling pointer
In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents
CVE-2023-43115
8.8 - High
- September 18, 2023
In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).
A flaw was found in ghostscript
CVE-2023-4042
5.5 - Medium
- August 23, 2023
A flaw was found in ghostscript. The fix for CVE-2020-16305 in ghostscript was not included in RHSA-2021:1852-06 advisory as it was claimed to be. This issue only affects the ghostscript package as shipped with Red Hat Enterprise Linux 8.
Memory Corruption
A divide by zero issue discovered in eps_print_page in gdevepsn.c in Artifex Software GhostScript 9.50
CVE-2020-21710
5.5 - Medium
- August 22, 2023
A divide by zero issue discovered in eps_print_page in gdevepsn.c in Artifex Software GhostScript 9.50 allows remote attackers to cause a denial of service via opening of crafted PDF file.
Divide By Zero
Buffer Overflow vulnerability in clj_media_size function in devices/gdevclj.c in Artifex Ghostscript 9.50
CVE-2020-21890
7.8 - High
- August 22, 2023
Buffer Overflow vulnerability in clj_media_size function in devices/gdevclj.c in Artifex Ghostscript 9.50 allows remote attackers to cause a denial of service or other unspecified impact(s) via opening of crafted PDF document.
Memory Corruption
A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript
CVE-2023-38559
5.5 - Medium
- August 01, 2023
A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.
Classic Buffer Overflow
An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript
CVE-2023-38560
5.5 - Medium
- August 01, 2023
An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format.
Integer Overflow or Wraparound
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
CVE-2023-36664
7.8 - High
- June 25, 2023
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
In Artifex Ghostscript through 10.01.0
CVE-2023-28879
9.8 - Critical
- March 31, 2023
In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.
Memory Corruption
A heap-based buffer overwrite vulnerability was found in GhostScript's lp8000_print_page() function in the gdevlp8k.c file
CVE-2020-27792
7.1 - High
- August 19, 2022
A heap-based buffer overwrite vulnerability was found in GhostScript's lp8000_print_page() function in the gdevlp8k.c file. This flaw allows an attacker to trick a user into opening a crafted PDF file, triggering the heap buffer overflow that could lead to memory corruption or a denial of service.
Buffer Overflow
A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory
CVE-2022-2085
5.5 - Medium
- June 16, 2022
A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an init_device_procs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, mem_x_device is used and does not have an init_device_procs defined. This flaw allows an attacker to parse a large number of bits (more than 64 bits per pixel), which triggers a NULL pointer dereference flaw, causing an application to crash.
NULL Pointer Dereference
Artifex Ghostscript through 9.26 mishandles .completefont
CVE-2019-25059
7.8 - High
- April 25, 2022
Artifex Ghostscript through 9.26 mishandles .completefont. NOTE: this issue exists because of an incomplete fix for CVE-2019-3839.
A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command
CVE-2021-3781
9.9 - Critical
- February 16, 2022
A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Shell injection
Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampled_data_sample (called
CVE-2021-45944
5.5 - Medium
- January 01, 2022
Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampled_data_sample (called from sampled_data_continue and interp).
Dangling pointer
Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called
CVE-2021-45949
5.5 - Medium
- January 01, 2022
Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp).
Memory Corruption
A Division by Zero vulnerability in bj10v_print_page() in contrib/japanese/gdev10v.c of Artifex Software GhostScript v9.50
CVE-2020-16299
5.5 - Medium
- August 13, 2020
A Division by Zero vulnerability in bj10v_print_page() in contrib/japanese/gdev10v.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
Divide By Zero
A buffer overflow vulnerability in lprn_is_black() in contrib/lips4/gdevlprn.c of Artifex Software GhostScript v9.50
CVE-2020-16287
5.5 - Medium
- August 13, 2020
A buffer overflow vulnerability in lprn_is_black() in contrib/lips4/gdevlprn.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
Memory Corruption
A buffer overflow vulnerability in mj_color_correct() in contrib/japanese/gdevmjc.c of Artifex Software GhostScript v9.50
CVE-2020-16298
5.5 - Medium
- August 13, 2020
A buffer overflow vulnerability in mj_color_correct() in contrib/japanese/gdevmjc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
Classic Buffer Overflow
A buffer overflow vulnerability in FloydSteinbergDitheringC() in contrib/gdevbjca.c of Artifex Software GhostScript v9.18 to v9.50
CVE-2020-16297
5.5 - Medium
- August 13, 2020
A buffer overflow vulnerability in FloydSteinbergDitheringC() in contrib/gdevbjca.c of Artifex Software GhostScript v9.18 to v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
Memory Corruption
A buffer overflow vulnerability in GetNumWrongData() in contrib/lips4/gdevlips.c of Artifex Software GhostScript from v9.18 to v9.50
CVE-2020-16296
5.5 - Medium
- August 13, 2020
A buffer overflow vulnerability in GetNumWrongData() in contrib/lips4/gdevlips.c of Artifex Software GhostScript from v9.18 to v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
Memory Corruption
A null pointer dereference vulnerability in clj_media_size() in devices/gdevclj.c of Artifex Software GhostScript v9.50
CVE-2020-16295
5.5 - Medium
- August 13, 2020
A null pointer dereference vulnerability in clj_media_size() in devices/gdevclj.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
NULL Pointer Dereference
A buffer overflow vulnerability in epsc_print_page() in devices/gdevepsc.c of Artifex Software GhostScript v9.50
CVE-2020-16294
5.5 - Medium
- August 13, 2020
A buffer overflow vulnerability in epsc_print_page() in devices/gdevepsc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
Classic Buffer Overflow
A buffer overflow vulnerability in jetp3852_print_page() in devices/gdev3852.c of Artifex Software GhostScript v9.50
CVE-2020-16302
5.5 - Medium
- August 13, 2020
A buffer overflow vulnerability in jetp3852_print_page() in devices/gdev3852.c of Artifex Software GhostScript v9.50 allows a remote attacker to escalate privileges via a crafted PDF file. This is fixed in v9.51.
Classic Buffer Overflow
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Canonical Ubuntu Linux or by Artifex? Click the Watch button to subscribe.
