CVE-2025-14237 ‒ Canon imageCLASS MF654Cdw TTF Parsing Integer Overflow RCE
Description
An integer overflow in the TTF parser leads to a heap under allocation, resulting in remote code execution.
Vulnerability
For Pwn2Own Ireland 2025, we used an integer overflow vulnerability to achieve remote code execution in the RTOS (real-time operating system) DryOS. When parsing TTF (TrueType fonts) embedded in a XPS (XML Paper Specification), a user-controlled value may be set to a large number, leading to an integer overflow in a heap allocation. Bytes from the font are then copied to the undersized allocation, overwriting structures after the heap chunk. By carefully crafting such a TTF file, one may corrupt a function pointer on the heap. One may then use the function pointer to jump to shell code previously stored in the printer memory.
We reported this vulnerability to the Zero Day Initiative, who handled the disclosure to the vendor.
Mitigations
Update to a printer firmware with the CPE2026-01 applied as indicated by the printer model table.
Timeline
| Date | Action |
|---|---|
| 11.11.2025 | Vulnerability reported to vendor (via ZDI) |
| 16.03.2025 | Coordinated public release of ZDI advisory |
| 15.04.2026 | Release of this advisory |