Cyber Resilience

CVE-2025-14235

Critical

Published: 16 January 2026

Published
16 January 2026
Modified
26 January 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0083 52.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-14235 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Canon Mf656Cdw Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 47.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-14235 is a buffer overflow vulnerability (CWE-787) in the processing of XPS font fpgm data, affecting various Canon Small Office Multifunction Printers and Laser Printers running firmware version v06.02 and earlier. The impacted models include the Satera LBP670C Series and Satera MF750C Series sold in Japan; Color imageCLASS LBP630C, Color imageCLASS MF650C Series, imageCLASS LBP230 Series, imageCLASS X LBP1238 II, imageCLASS MF450 Series, imageCLASS X MF1238 II, imageCLASS X MF1643i II, and imageCLASS X MF1643iF II sold in the US; and i-SENSYS LBP630C Series, i-SENSYS MF650C Series, i-SENSYS LBP230 Series, 1238P II, 1238Pr II, i-SENSYS MF450 Series, i-SENSYS MF550 Series, 1238i II, 1238iF II, imageRUNNER 1643i II, and imageRUNNER 1643iF II sold in Europe. The vulnerability was published on 2026-01-16 and carries a CVSS v3.1 base score of 9.8 (Critical).

An unauthenticated attacker on the same network segment can exploit this vulnerability remotely with low complexity and no user interaction required (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation may cause the affected printer to become unresponsive (denial of service) or allow execution of arbitrary code, potentially leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).

Canon has issued advisories through its PSIRT (cp2026-001) and regional support pages, including remediation measures and service notices for addressing the buffer overflow vulnerability in the listed laser printers and multifunction printers. Practitioners should consult the following resources for patches and mitigation guidance: https://canon.jp/support/support-info/260115vulnerability-response, https://psirt.canon/advisory-information/cp2026-001/, https://www.canon-europe.com/support/product-security/, and https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers.

EU & UK References

Vulnerability details

Buffer overflow in XPS font fpgm data processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C…

more

Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Buffer overflow enables remote unauthenticated RCE/DoS against exposed printer service (XPS font processing).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14232Same product: Canon Lbp1238 Ii
CVE-2025-14236Same product: Canon Lbp1238 Ii
CVE-2025-14231Same product: Canon Lbp1238 Ii
CVE-2025-14234Same product: Canon Lbp1238 Ii
CVE-2025-14237Same product: Canon Lbp1238 Ii
CVE-2024-12647Same product: Canon Lbp1238 Ii
CVE-2024-12648Same product: Canon Lbp1238 Ii
CVE-2024-12649Same product: Canon Lbp1238 Ii
CVE-2025-14233Same product: Canon Lbp1238 Ii
CVE-2025-20633Shared CWE-787

Affected Assets

canon
mf656cdw firmware
≤ 06.02
canon
mf653cdw firmware
≤ 06.02
canon
mf652cw firmware
≤ 06.02
canon
mf1238 ii firmware
≤ 06.02
canon
mf1643if ii firmware
≤ 06.02
canon
mf1643i ii firmware
≤ 06.02
canon
lbp237dw firmware
≤ 06.02
canon
lbp236dw firmware
≤ 06.02
canon
lbp633cdw firmware
≤ 06.02
canon
lbp632cdw firmware
≤ 06.02
+6 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Firmware remediation through Canon's patches directly eliminates the buffer overflow vulnerability in XPS font fpgm processing.

prevent

Validating the length and format of XPS font fpgm data inputs prevents the buffer overflow during parsing.

prevent

Memory protection mechanisms like non-executable stacks and ASLR thwart arbitrary code execution from the buffer overflow exploit.

References