CVE-2025-6196

A flaw was found in libgepub, a library used to read EPUB files. The software mishandles file size calculations when opening specially crafted EPUB files, leading to incorrect memory allocations. This issue causes the application to crash. Known affected usage includes desktop services like Tumbler, which may process malicious files automatically when browsing directories. While no direct remote attack vectors are confirmed, any application using libgepub to parse user-supplied EPUB content could be vulnerable to a denial of service.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
redhatCNA
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Debian logo
Debian Releases
Debian Product
Codename
libgepub
bullseye
postponed
bookworm
no-dsa
trixie
0.7.3-1
fixed
sid
0.7.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libgepub
plucky
not-affected
oracular
ignored
noble
needs-triage
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-6196
https://bugzilla.redhat.com/show_bug.cgi?id=2373117
https://gitlab.gnome.org/GNOME/libgepub/-/issues/18