CVE-2025-6196

NameCVE-2025-6196
DescriptionA flaw was found in libgepub, a library used to read EPUB files. The software mishandles file size calculations when opening specially crafted EPUB files, leading to incorrect memory allocations. This issue causes the application to crash. Known affected usage includes desktop services like Tumbler, which may process malicious files automatically when browsing directories. While no direct remote attack vectors are confirmed, any application using libgepub to parse user-supplied EPUB content could be vulnerable to a denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgepub (PTS)bullseye0.6.0-2vulnerable
bookworm0.7.0-2vulnerable
trixie, sid0.7.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgepubsource(unstable)0.7.3-1

Notes

[bookworm] - libgepub <no-dsa> (Minor issue)
[bullseye] - libgepub <postponed> (Minor issue)
https://gitlab.gnome.org/GNOME/libgepub/-/issues/18
Fixed by: https://gitlab.gnome.org/GNOME/libgepub/-/commit/70895c45364ef4ee827b39b2ed1c33723410e94c (0.7.2)
Search for package or bug name: Reporting problems