CVE-2025-27832

Critical

Published: 25 March 2025

Published

25 March 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 43.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27832 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Artifex Ghostscript. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the buffer overflow flaw in Ghostscript via patching or upgrading to version 10.05.0 or later.

SI-16 Memory Protection good match

prevent

Implements memory protections like address space layout randomization and data execution prevention to block arbitrary code execution from the buffer overflow exploitation.

CM-7 Least Functionality partial match

prevent

Restricts Ghostscript to least functionality by disabling unnecessary output devices such as the vulnerable NPDL device, avoiding the specific code path exploited in gdevnpdl.c.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The buffer overflow in Ghostscript enables remote arbitrary code execution via malicious PostScript/PDF file processing, directly mapping to exploitation for client execution in document interpreter software.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue was discovered in Artifex Ghostscript before 10.05.0. The NPDL device has a Compression buffer overflow for contrib/japanese/gdevnpdl.c.

Deeper analysisAI

CVE-2025-27832 is a compression buffer overflow vulnerability in the NPDL device of Artifex Ghostscript versions before 10.05.0, located in the file contrib/japanese/gdevnpdl.c. This flaw, classified as CWE-120 (Buffer Copy without Checking Size of Input), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote attackers can exploit this vulnerability over the network with low attack complexity, no required privileges, and no user interaction. Exploitation grants high confidentiality, integrity, and availability impacts, enabling outcomes such as arbitrary code execution on affected systems processing malicious PostScript or PDF files via Ghostscript.

Advisories recommend upgrading to Ghostscript 10.05.0 or later to mitigate the issue. Key references include the Ghostscript bug tracker entry at https://bugs.ghostscript.com/show_bug.cgi?id=708133, which documents the fix, and the Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/04/msg00014.html, outlining patches for Debian systems.